What to Do When Your Data Is Leaked in a Breach: Step-by-Step

If your data was leaked in a breach, act fast: change passwords on the breached service and everywhere you reused them, enable two-factor authentication, check your bank accounts for unauthorized transactions, and freeze your credit if national IDs (Aadhaar, SSN) were exposed. Use a breach scanner like Kaval to see exactly which breaches your email appeared in.

You find out a company you use got breached. Maybe you got an email. Maybe you saw it in the news. Maybe you ran a check and your email popped up in a leak you’d never heard of.

That sinking feeling is normal. But here’s what matters: breaches happen to practically everyone at this point, and the outcome depends almost entirely on what you do next. A fast, thorough response in the first day or two can be the difference between “annoying but fine” and months of dealing with compromised accounts or identity theft.

Here’s exactly what to do, what to prioritize, and how to set things up so the next breach doesn’t hit as hard.

How to Find Out If Your Data Was Leaked

Most people find out way too late — through unauthorized charges, a notification email months after the fact, or their credentials showing up for sale somewhere. You don’t want to be in reactive mode. Check proactively.

Kaval Breach Scanner

The quickest way to check is the Kaval breach scanner at kaval.chat. Enter your email and it checks against an extensive database of known breaches and stealer logs. Within seconds you’ll see:

• Which breaches your data appeared in
• When each breach happened
• What data types were exposed (email, password, phone, address, financial info, etc.)
• How severe each exposure is

You can also send your email to the Kaval WhatsApp bot at +91 7200218310 and get your breach report right in WhatsApp. For the full walkthrough, see our email breach checking guide.

Have I Been Pwned (HIBP)

Have I Been Pwned is a well-known breach notification service by security researcher Troy Hunt. Enter your email and see which breaches it appeared in. It covers a large number of publicly disclosed breaches and offers email alerts for future exposures.

Pros: Big database, free, email notifications for new breaches. Cons: Only publicly disclosed breaches — doesn’t include stealer logs or private dumps that circulate in underground forums. Less detail on severity and data categorization compared to Kaval.

Credit Monitoring

In India, CIBIL lets you monitor your credit report for unauthorized inquiries or accounts opened in your name. In the US, the three major bureaus (Equifax, Experian, TransUnion) provide free annual reports through annualcreditreport.com.

Credit monitoring won’t detect the breach itself, but it catches downstream effects — like someone taking out a loan with your leaked identity documents.

Company Notification Emails

Companies that get breached are often legally required to tell affected users. These emails usually arrive weeks or months later and explain what was exposed. Don’t ignore them. But also be careful — scammers send fake breach notification emails with phishing links. Verify the sender and go directly to the company’s website instead of clicking anything in the email.

Immediate Steps After a Breach

You’ve confirmed your data was exposed. Here’s what to do, in order.

1. Change Your Passwords

Start with the breached service. Then change passwords for any other account where you used the same password (or something close to it). Yes, it’s tedious. But password reuse is what turns one breach into a cascade — a single leaked password can unlock dozens of accounts if you’ve recycled it.

Do it properly:

• Use a password manager to generate unique passwords (more on this below)
• At least 16 characters each
• Don’t reuse passwords across services
• Priority order: breached service, then email, then banking, then social media

If you can’t log into the breached service because the attacker changed your password, use account recovery immediately. If your recovery email was also compromised, contact support directly.

2. Enable Two-Factor Authentication (2FA)

Turn on 2FA for every account that supports it — especially email, banking, social media, and cloud storage. Even if someone has your password, 2FA stops them without the second factor.

Options, from strongest to weakest:

1. Hardware security key (YubiKey, Google Titan) — phishing-resistant, strongest option
2. Authenticator app (Google Authenticator, Authy, Microsoft Authenticator) — time-based codes on your phone
3. SMS OTP — better than nothing, but vulnerable to SIM-swap attacks

For your most critical accounts (email and banking), avoid SMS-based 2FA if you have the option to use an authenticator app or hardware key.

3. Check Your Financial Accounts

Log into your banking apps, UPI accounts, credit cards, and investment platforms. Look for:

• Transactions you don’t recognize — even tiny ones (scammers test with small amounts before going big)
• New payees or beneficiaries you didn’t add
• Changes to your registered email or phone number
• Pending loan applications or credit inquiries you didn’t initiate

Anything suspicious? Call your bank immediately. Most have dedicated fraud helplines. In India, the cybercrime helpline 1930 can help freeze fraudulent transactions if you report quickly.

4. Freeze Your Credit (If Sensitive IDs Were Leaked)

If the breach exposed Aadhaar, PAN, SSN, or passport details, take extra steps.

In India:

• Contact CIBIL to place a fraud alert
• File a report with the National Cyber Crime Portal
• Lock your Aadhaar biometrics through the mAadhaar app or the UIDAI website

In the US:

• Place a free credit freeze with Equifax, Experian, and TransUnion
• This stops anyone from opening new credit accounts in your name
• You can temporarily lift it when you actually need to apply for credit

5. Revoke Suspicious Sessions and App Permissions

Go to security settings on your major accounts and:

• Revoke active sessions on devices you don’t recognize
• Remove third-party app permissions you don’t use anymore
• Check for unfamiliar email forwarding rules — attackers set up silent forwarding so they can see your emails even after you change your password

That last one is sneaky and people miss it constantly. If an attacker has your email forwarding to them, they can intercept password reset emails for your other accounts. Check your email forwarding settings right now.

What Types of Leaked Data Actually Matter

Not all breaches are the same. What was exposed changes how urgently you need to act.

Passwords — Critical

A leaked password gives direct access to the breached account and (thanks to reuse) potentially many others. If it was stored in plaintext or with weak hashing like MD5, attackers can use it immediately. Even strongly hashed passwords get cracked eventually.

Action: Change it on the breached service and everywhere you reused it. Start using a password manager.

Email Addresses — High Risk

Your email is the recovery key for almost every account you own. A leaked email doesn’t give direct access, but it makes you a prime phishing target. Attackers will send convincing emails using breach context — “We noticed suspicious activity on your account…” — because they know you were in the breach.

Action: Enable 2FA on your email. Be extra skeptical of emails in the weeks after a breach. Navigate directly to websites instead of clicking links.

Phone Numbers — High Risk

Used for SMS 2FA, account recovery, and identity verification. Leaked numbers open you up to SIM-swap attacks, targeted SMS phishing, and WhatsApp scams. See our guide on spotting WhatsApp scams for more.

Action: Set a PIN with your mobile carrier to prevent SIM swaps. Switch from SMS 2FA to authenticator apps where possible.

Aadhaar / SSN / National IDs — Critical

These can’t be changed like a password. Leaked national IDs enable identity theft — opening bank accounts, applying for loans, filing fake tax returns in your name. A leaked Aadhaar number combined with other personal data makes eKYC fraud possible.

Action: Lock Aadhaar biometrics. Place fraud alerts with CIBIL. Monitor credit monthly for at least a year. File a police report if you suspect misuse.

Credit Card Numbers — Critical (Short-Term)

Can be used for unauthorized purchases immediately. But credit cards actually have the best fraud protection of any data type — you can dispute charges and get a replacement card relatively easily.

Action: Call your card issuer to block and replace the card. Review recent statements and dispute unauthorized charges. High urgency but straightforward resolution.

Physical Addresses and Dates of Birth — Moderate

Used for identity verification questions at many institutions. An attacker with your address, DOB, and email can sometimes pass basic verification over the phone. This data also makes phishing attacks more convincing.

Action: Be aware that someone might try to impersonate you using these details. Treat unsolicited calls that reference your personal info with suspicion — knowing your address doesn’t make a caller legitimate.

Long-Term Protection

Cleaning up after a breach is necessary but it’s not enough. These changes prevent the next breach from doing the same damage.

Get a Password Manager

A password manager generates, stores, and auto-fills unique strong passwords for every account. This kills password reuse, which is the thing that turns one breach into twenty compromised accounts.

Good options:

• Bitwarden — Open source, free tier, works everywhere
• 1Password — Polished experience, family sharing, built-in breach monitoring
• Apple/Google built-in — Fine if you’re fully in one ecosystem

Honestly, which one matters less than actually using one. Any password manager is dramatically better than reusing passwords or storing them in a notes app.

Enable 2FA on Everything

After a breach, go through your accounts systematically. Priority order:

1. Email — the master key to your digital life
2. Banking and financial services — direct money risk
3. Social media — used for impersonation
4. Cloud storage — might contain sensitive documents
5. Shopping and subscriptions — stored payment methods

Set Up Breach Monitoring

Instead of manually checking every few months, Kaval can monitor for new breach exposure. During Early Access, signed-in web users get monitoring features for free while the product is tested and improved. It continuously scans new breach databases and stealer logs for your email, and alerts you when something new shows up. Turns breach response from a panic into a notification.

Set it up at kaval.chat.

Shrink Your Digital Footprint

Every account is a potential breach surface. Reduce exposure:

• Delete accounts you don’t use anymore (JustDeleteMe helps find deletion links)
• Use email aliases for throwaway signups (Apple’s Hide My Email, SimpleLogin)
• Minimize personal info on social media profiles
• Opt out of data broker sites that collect and sell your information

Keep Software Updated

Plenty of breaches exploit known vulnerabilities in outdated software. Keep your OS, browser, and apps current. Enable automatic updates on your phone, computer, and router.

How to Tell If Someone Is Using Your Leaked Data

Sometimes the signs are subtle. Watch for these in the weeks and months after a breach.

Account compromise:

• Password reset emails you didn’t request
• Login notifications from places you’ve never been
• 2FA codes arriving when you didn’t try to log in
• Friends getting messages from your accounts that you didn’t send

Identity theft:

• Letters about accounts or credit cards you didn’t open
• Calls from debt collectors about debts you know nothing about
• Unexpected credit score changes
• Tax filing rejected because “you already filed”

Financial fraud:

• Small test transactions on your cards
• New payees in your banking app
• Subscription charges for services you never signed up for
• UPI collect requests from unknown merchants

If you spot any of this, go back to the immediate response steps. Change passwords, enable 2FA, call your bank, file reports. Run another scan with Kaval to check if more accounts have been hit since you last looked.

FAQ

How long after a breach should I be worried?

Longer than you’d think. Attackers don’t always use stolen data right away. Breach databases get bought, sold, and combined over time — your data from a 2024 breach might get merged with a 2026 breach to build a fuller profile. The first 48 hours are most critical for securing accounts, but keep monitoring for at least 12 months. Identity theft from leaked national IDs can surface years later.

Can deleted accounts still show up in breaches?

Yes. Deleting your account removes your access, but the company may keep your data in backups or archives. If those get breached, your old info is exposed. This happens more often than you’d expect. It’s another reason to use unique passwords everywhere — a leaked password from a “deleted” account can still compromise active accounts where you reused it.

What’s a stealer log and why is it worse than a normal breach?

A stealer log comes from malware installed on someone’s actual computer. Unlike a normal breach (where hackers hit a company’s servers), infostealers capture data directly from a victim’s machine — saved browser passwords, session cookies, autofill data, crypto wallets, screenshots. Everything.

They’re worse because the passwords are plaintext (usable immediately), the session cookies can bypass 2FA entirely, and they grab every password saved in your browser at once. If Kaval’s scanner flags you in a stealer log, treat it seriously: change all passwords stored in your browser, invalidate sessions on important accounts, and run a malware scan. You might want to switch from browser password storage to a dedicated password manager. More in our email breach guide.

---

Breaches aren’t going to stop. As long as companies store your data, some of it will eventually get exposed. Your protection isn’t hoping it won’t happen — it’s being set up so that when it does, the damage is minimal.

Check if your data has been leaked right now. Visit kaval.chat and run a breach scan with your email. Or send your email to the Kaval WhatsApp bot at +91 7200218310 for an instant report. Early Access includes monitoring features so you know the moment your data surfaces in a new breach — before anyone has time to use it.