FFCheckPrivacyCheck
NLEN
🚨 What now? privacy problemsHIGH URGENCY

My password is in a data breach — what now?

Check via Have I Been Pwned. Change on all sites where you reused it. Enable 2FA. Consider a password manager. On high risk: force company notification.

Last reviewed: 25 May 2026Reviewed by FFCheck-redactie
A leaked password by itself is not catastrophic — the dangerous combination is leaked password + reuse. Attackers automatically try your leaked email/password combo on hundreds of sites (credential stuffing). One leaked combo = potential access to your bank, email, social media, shop accounts. Check first: haveibeenpwned.com is free, trusted (HIBP, run by security expert Troy Hunt). Enter your email → see which breaches contain your email + which data types leaked (password, ID number, phone, etc). Then do: change password on every site where you reused it — use a password manager to do this systematically. Enable 2FA (app-based, not SMS). Check suspicious logins on major accounts (Google account.google.com → Security, Microsoft, Apple, social media). GDPR right: if your data leaked from a company, they have a notification duty (Art. 33-34). On high risk they must inform you directly. Didn't get notification despite knowing the breach affected you? Access request (€9.99) to find out what data they had + AP complaint about non-notification. Damages claim: on demonstrable non-material damage (stress, loss of control) Art. 82 GDPR damages claim — €250-€5,000 in Dutch case law.

Step by step

  1. Check on Have I Been Pwned

    haveibeenpwned.com — enter your email. Free. Shows which breaches contain your email + which data types. No registration needed.

  2. List where you reused that password

    Tedious but essential: password manager → "find reuse" — or think back: email, bank, social, old forums. Change on each separately.

  3. Change password on all sites — different per site

    Use a password manager (Bitwarden free, 1Password €3/m, KeePass open-source) to generate unique 20+ character passwords. No need to remember anymore.

  4. Enable 2FA on all important accounts

    App-based (Google Authenticator/Authy/Bitwarden) — NOT SMS (SIM-swapping risk). Hardware key (Yubico) for banks and email = best option.

  5. Check accounts for suspicious activity

    Google: myaccount.google.com → Security → "Devices" + "Recent security events". Microsoft: account.microsoft.com → Security. Facebook: Settings → Security → Where You're Logged In. Close unknown sessions.

  6. GDPR action against the leaking business

    Access request (Art. 15) to the business to find out what data leaked. No notification despite high risk (Art. 34)? AP complaint. On damage: civil damages claim Art. 82 — often via class action by Consumentenbond or Privacy First.

Ready to act?

We'll draft the right letter for you

Personalised PDF · Send-ready · One-off €9,99
  • ⚡ PDF in your inbox in 60 seconds
  • 📄 BTW-compliant invoice included
  • ↩️ 30-day fix-it guarantee

Sources

🔎 Common search variants

Recognise your own search? Our answer above covers these too.

  • password leaked breach
  • have i been pwned check
  • my password leaked online
  • password reuse breach
  • credential stuffing what to do

Related on PrivacyCheck