TL;DR - You got an email saying your details were in a data breach, or Have I Been Pwned flagged your address. Don't panic, and don't ignore it either. The breach already happened, often months ago, so what matters now is damage control. Do four things: change the password for that account and anywhere you reused it, turn on two-factor authentication, check exactly what leaked, and if ID or financial details were exposed, lock those down. Three of the four take under five minutes. What you need to do: start with the password, because reused passwords are how one breach becomes five.
I got the email a few weeks ago. "We're writing to inform you of a security incident that may have affected your personal information." Then three paragraphs of careful, lawyer-shaped language that told me almost nothing, ending with the line every one of these emails ends with: "We recommend you remain vigilant."
Remain vigilant. What does that even mean? Vigilant how? Against what? It's the security equivalent of a doctor telling you to "be careful out there" and hanging up.
Here's the thing most breach notifications won't tell you, because they're written to limit the company's liability, not to actually help you: by the time you read that email, the breach is old news. The data was taken weeks or months ago. It's already been copied, sold, and bundled into lists that other criminals buy. You can't undo that. What you can do, in the next 24 hours, is make sure the stolen information is worth as little as possible.
I've worked in security for 15 years, and I've boiled the real response down to four actions. Let me walk you through them, in order, because the order matters.
First, Understand What's Actually at Risk
A data breach isn't one thing. What you do depends entirely on what leaked, so it helps to know the three rough tiers.
Just your email address (and maybe your name). Annoying, low danger. The main fallout is more spam and more targeted phishing, because now a scammer knows you had an account with that company and can pretend to be them.
Your email and a password. This is the dangerous one, and it's dangerous for a reason most people miss. The risk usually isn't the hacked account itself. It's every other account where you used the same password. Criminals take leaked email-and-password pairs and feed them into automated tools that try them against hundreds of other sites. It's called credential stuffing, and it's why one breach at a company you barely remember can end with someone in your email or your shopping accounts.
Your identity documents or financial details. Licence number, passport, Medicare, bank or card details. This is the serious tier, and it's the one that needs more than five minutes. We'll get there in step four.
Now, the four actions.
1. Change the Password - There and Everywhere You Reused It
If a password was involved, this is the single most important thing you do today.
Change it on the breached account. Then, and this is the part people skip, change it anywhere else you used the same password or a close variation. If your old password was Sunshine2019! and your "secure" version of it was Sunshine2020!, treat both as burned.
This is the moment a password manager earns its keep. If you've got one, you can see in seconds which accounts share a password and fix them one by one. If you don't, start with the accounts that matter most: your email first (because it's the master key that can reset everything else), then banking, then anything with your card saved.
Make the new passwords long, unique, and different on every site. You don't need to remember them. That's the manager's job. (If you've never set one up, I compared the good ones in this guide.)
Time: under 5 minutes with a password manager, a bit longer without.
2. Turn On Two-Factor Authentication
Two-factor authentication (2FA) means that even if a criminal has your password, they still can't get in without a second code, usually from an app on your phone.
This is the thing that defeats credential stuffing outright. They can have the right password and still hit a wall. Turn it on for the breached account if it offers it, and far more importantly, turn it on for your email and your bank right now if you haven't.
Use an authenticator app rather than text-message codes where you can. Text messages can be intercepted or stolen through SIM-swap scams. An app code can't. Australian banks have caught up here, and I walked through turning it on with the major ones in this post.
Time: under 5 minutes per account.
3. Check Exactly What Leaked
You don't have to take the company's vague email at its word. Go to Have I Been Pwned, type in your email address, and it will show you which breaches you've appeared in and, crucially, what kind of data each one exposed. It's run by a respected Australian security researcher and it's free.
While you're there, turn on its notification feature so it emails you automatically the next time your address shows up somewhere new. It's the closest thing to an early-warning system you'll get.
If the breach only exposed your email, you can mostly relax after steps one and two, but stay alert for the phishing wave (more on that below). If it exposed identity documents or financial details, move to step four.
Time: under 5 minutes.
4. If ID or Financial Details Leaked, Lock Them Down
This is the one that takes longer than five minutes, and it's the one that actually protects you from identity theft.
If the breach exposed things a criminal can use to impersonate you - licence, passport, Medicare number, bank or card details - do these:
- Call your bank if card or account details were involved. Ask them to watch the account, and if a card number leaked, just cancel it and get a new one. A reissued card is a minor inconvenience. A drained account is not.
- Place a credit ban. This is the big one most Australians don't know about. You can put a free ban on your credit report with all three credit bureaus (Equifax, Experian, and illion), which stops anyone, including a criminal with your details, from opening loans or accounts in your name. It's free, it lasts 21 days, and you can extend it. The government's Moneysmart site explains how.
- Contact IDCARE. IDCARE is Australia and New Zealand's free, government-funded identity and cyber support service. If your identity documents leaked, call them. They'll build you a specific response plan, including whether you need to replace your licence or passport. This is exactly what they exist for, and it costs you nothing.
Time: an hour or two, but only if you're in this tier. Most people aren't, and that's fine.
The Trap That Catches People After a Breach
There's a fifth thing, and it's less an action than a warning: a breach is almost always followed by a wave of phishing that uses the stolen data to look convincing.
A few days after a breach, you'll often get a message - email, text, or call - that says something like "We've detected unusual activity on your account, click here to secure it." It knows your name. It might know which company was breached. It feels legitimate precisely because it's built on real, stolen details.
It's a scam. The rule that keeps you safe is simple: never act on a link or phone number from a message about a breach. If you think your bank really does need you, open your banking app yourself, or ring the number on the back of your card. Go to the company directly, the way you normally would. Don't let the message steer you.
I wrote more about why scammers already seem to know so much about you here - it's usually breaches like this one feeding the machine.
The Real Fix Is Boring (It Always Is)
Everything above is damage control after the fact. The thing that makes the next breach a shrug instead of a scramble is unglamorous: a different, strong password on every account, stored in a password manager, with 2FA on anything that matters.
Do that, and when the next "we're writing to inform you" email lands - and it will, because breaches are now a fact of online life - the stolen password unlocks exactly one account, and 2FA stops even that. The breach becomes someone else's problem instead of yours.
None of this is exciting. But it works.
Key Takeaways
- Don't panic, do act. The breach already happened. Your job now is to make the stolen data worthless, and you've got more control than the notification email suggests.
- Reused passwords are the real danger. One leaked password is only a problem because of every other account that shares it. Change it everywhere.
- 2FA defeats the main attack. Even with your password, a criminal can't get past a second code. Turn it on for your email and bank first.
- Check what actually leaked. Have I Been Pwned tells you the truth the company's email won't, for free.
- Identity or financial data is the serious tier. Call your bank, place a free credit ban, and contact IDCARE. Most breaches won't need this. Some will.
- Expect the phishing wave. Never act on a link or number from a breach message. Go to the company directly.
Frequently Asked Questions
What should I do first after a data breach notification? Change the password on the breached account, then change it anywhere else you used the same one. Reused passwords are how a single breach spreads to your other accounts, so this matters more than anything else you'll do.
How do I find out what data was actually exposed? Enter your email address at Have I Been Pwned (haveibeenpwned.com). It shows which breaches you're in and what each one leaked, and it's free. The breach notification email is often deliberately vague, so this gives you the real picture.
My email was in a breach but no password. Am I safe? Mostly, after you've turned on 2FA. The main risk with email-only exposure is more spam and more convincing phishing, because scammers now know you used that service. Stay alert for messages pretending to be from the breached company.
What is a credit ban and should I place one? A credit ban (free in Australia, through Equifax, Experian and illion) stops anyone from opening credit in your name, including a criminal with your stolen details. Place one if identity or financial documents were exposed. See Moneysmart for the steps.
Is Have I Been Pwned safe to use? Yes. It's a long-standing, well-respected free service run by Australian security researcher Troy Hunt. It only checks your email against known breaches; you're not handing over anything new.
The breach email has a link to "secure my account." Should I click it? No. Treat any link or phone number in a breach message as suspect. Go to the company directly through their official app or website, or the number on your bank card. Scammers send fake "breach" messages to harvest exactly the details you're worried about.
My Take
The part that genuinely annoys me about data breaches isn't the breach. Breaches are now background radiation. Every big company will eventually lose your data, and pretending otherwise is naive. What annoys me is the response we've all been trained to accept: a carefully worded email that protects the company, tells you almost nothing useful, and signs off with "remain vigilant" as though that's a plan.
It isn't a plan. The four steps above are a plan, and the reassuring thing is how short the list is. You are not powerless when this happens. You've got a clear, ordered set of moves, most of them done before your tea goes cold, and a free national service (IDCARE) standing by for the rare serious cases.
So the next time one of these emails lands, don't feel the little jolt of helplessness it's designed to produce. Feel slightly smug instead. You already know exactly what to do, and it's mostly done in five minutes.
Mathew Clark Founder, SecureInSeconds Currently: still slightly annoyed at the phrase "remain vigilant"
Further Reading:
- Have I Been Pwned - check which breaches your email is in, and set up alerts for the next one
- Moneysmart: identity theft and credit bans - the free Australian tool that stops identity theft in its tracks
- IDCARE - free identity and cyber support for Australia and New Zealand
- OAIC: the Notifiable Data Breaches scheme - your rights and what companies must tell you when they're breached
- Our guide to password managers - the tool that contains the damage from the next breach
- Turning on 2FA with Australian banks - step-by-step for the big four
- Why scammers already know your info - where all this leaked data ends up
