Tips & Tricks

Password Hacked?

A 10 step guide to getting back on track.

Safety First

Finding out that your email address and password have been published online can be scary and confusing, and often people are in the dark about what they should do next.

Don’t panic! We’re here to give you some useful information and help you beef up your security.

We recommend that you speak with your IT expert for comprehensive assistance, but we’ve put together a ten step guide to get you started.

Before we get started, here are some common questions you might have:

It says my password may have been compromised. How did this happen?
Hackers work hard to hack into websites and steal their data. They often post this information online for “lulz” or notoriety. We collect the data hackers release to the public. In this case, one of the websites that you’ve created an account on, has probably been compromised, and your email address and one of your passwords have been published online.
Does this mean my email account has been compromised?
Not necessarily. This means that an account that you created online (using this email address) has been compromised. If you used a unique password for this account, then your other accounts should not be affected. If you re-use the same password across all of your accounts, you need to change them all.
Which website was hacked?
We can’t tell you which breach your email address was compromised in, however you can cross-reference the date against our Sources Page which should give you a rough idea.
Can you tell me which of my passwords was compromised?
Unfortunately not. No passwords are stored in our database.

Okay, let’s get started!

Step 1.

Change your password for the email address that was red-flagged

If your email address is flagged by BreachAlarm, it will tell you the number of times we’ve come across this email address and password online, and the date that we last saw it.

Compromised screenshot

If the date was recent, you should immediately change the password for that email address. If it wasn’t recent, there’s less of a need for urgency, but you should still change your password anyway.

If you’re not sure how to change your password, here are some links for some major email vendors:

Can’t access your emails?
Firstly, double and triple check the email and password that you are entering. If you still can’t access it, you need to reset your password by following the instructions set out by your email provider. Usually this requires you to answer a security question, have an email sent to a pre-determined alternative email address, or log in from a pre-determined safe computer.

Step 2.

Find out which breach you were compromised in

The information that we provide is deliberately limited for privacy reasons, and we while we won’t tell you exactly which breach you were compromised in, you can cross reference the date (from the BreachAlarm alert) with our Sources Page, which should narrow down the possible websites.

In the example above, I checked the email address test@test.com, comparing the date to the sources page, we can see that the latest time it was included in a breach was either; The Himalayan Times, Yale University, or an Unknown website.

Sources screenshot

Knowing which website breached your details can be helpful in determining which password was compromised, and reducing the number of passwords you need to change.

The source will say “Unknown” if we were unable to determine the website that the email addresses and passwords came from. This happens occasionally as hackers don’t always like to tell us all the details of their activities.

If you’re still not sure which website compromised your details, or if the source said “Unknown”, that’s okay, but you should err on the side of caution and change all of your passwords.

Step 3.

Change the password on your other accounts

It’s a common (and terrible) habit for many people to use the same password across all of their accounts, and this is where it can come back to haunt you. If you do this, and your password has been compromised, then all of your online accounts are potentially compromised. This is especially dangerous if you are using the same password to access your online bank account.

If you re-use your passwords on multiple websites, you need to change them all immediately (to unique passwords!).

Using unique passwords for each of your online accounts is annoying but necessary. If you have trouble remembering them all, you should use a password manager like LastPass, Sticky Password, or 1Password. Using these services, all you need to remember is one single password. The service will then create and store long, secure passwords for all your individual websites. Plus these services save you time by you not having to type them out every time!

Step 4.

Assess the damage

Once you’re happy that your accounts have new passwords and you’re the only person with access to them, you should check to see whether there is any evidence of anyone accessing your accounts.

Here are some things you should do:

Think like a hacker

What information do you have in your emails that could be of any value? Some hackers are after money, some are after information, others are after those raunchy photos that you sent to your boyfriend.

Look carefully for emails which have been opened, but you know that you haven’t read

Discreet hackers will probably mark these as unread after they have opened them, but opportunistic hackers may be careless or in a hurry. If there are messages which have been opened by someone else, it is a clear sign that someone else has been in your email account.

Check your Sent Items folder to see whether your email address has been used to send out spam

If this is empty (and you know that you’ve sent emails recently) it could be a sign that your account has been used to spam all of your contacts. If it has, you will probably hear about it from someone who has received an email from you, but if you’re unsure, ask some friends or family who are in your email Contacts.

If you realise that you have been spamming people, send a quick apology message telling people not to open links in any emails they’ve received from you (they probably contain or link to viruses).

Check whether any of your emails are being automatically forwarded to another email address

Occasionally hackers will change your settings so that they automatically receive a copy of all future emails you receive. This happens in the background and won’t be disabled even if you change your passwords. You won’t even realise this is happening unless you check the settings in your email account.

Check your Deleted Emails folder for any suspicious emails

Once hackers have access to your email account, they are often able to access many other services you use by resetting your passwords. Most websites send you an email to reset your password, so check to see if you can see any of these emails. If you can, immediately reset these passwords again and reclaim control of your accounts.

Keep an eye out for any unusual purchases on your credit cards

This is good practice anyway, but it’s worth checking and keeping an eye on your credit cards. Report any unauthorised transactions to your bank immediately.


You might not find any of these things, and it may be that your email account has not been accessed, but it’s better to be safe than sorry.

Step 5.

Run an anti-virus scan over your computer

Run a scan on your computer for any viruses or malware. While an infection is probably not a direct consequence of your email address and password being released by hackers, if your computer contains spyware, such as key loggers, you may be vulnerable to further attacks.

We recommend purchasing and installing a comprehensive anti-virus company such as AVG Internet Security and scanning your computer occasionally with a separate program like Malwarebytes.

If you find that your computer is infected, we recommend that you change your passwords again (after removing the infection).

Step 6.

Review the way you create passwords

Creating unique, strong passwords for each of your accounts can be painful and difficult to remember, but it is necessary to protect your sensitive personal information. Using long, secure passwords makes it harder for hackers to crack, and can save you time and effort in the long run.

Recent studies have shown that most people are horribly, terribly, awfully bad at creating secure passwords (and that’s being generous). Often this comes down to laziness. We know that we should use better passwords, but it takes too much time and effort, so we don’t do it. We’ve all done this at some point, but it’s time to put a stop to it.

Good passwords don’t have to be complicated and impossible to remember, and if you want to learn more, check out our page on Creating (and remembering) Great Passwords!.

Step 7.

Brush up on your security skills

We all know about the dangers that hackers pose; however, sometimes it can be difficult to tell a hacker from a reliable credible company. ‘Phishing emails’, emails designed to make you provide sensitive information, have become commonplace, and can sometimes seem alarmingly real. It is always best to err on the side of caution and if possible, contact the company emailing you via phone (Google the company to find the phone number, don’t use the one in the email).

Don’t give out your passwords to anyone! If you receive a phone call from ‘Microsoft’ saying that they’ve detected a problem with your computer, it’s probably a scam. Tell them that you will call them back (Google the company to find the phone number, don’t use one they give you). If it is a legitimate company, they will have no problem with this.

Google has put together a video with 5 tips for staying safe on the web, which is well worth watching.

After brushing up on your security skills, you should re-evaluate your current passwords. If you know that you should really change some of yours, go do it. You could end up kicking yourself later if you don’t.

It also good practice to change your passwords every couple of months, so it may be time for a change anyway.

Step 8.

Consider your Emergency Access to your online accounts

Using your password is not the only way that hackers can access your accounts. Many websites will have a ‘Forgot Your Password’ process like answering a Security Question to help you gain access to your account. While these are intended to assist you in the event that you can’t access your account, they can also be used by anyone to try to gain backdoor access to your account.

As a consequence of social media and increased integration of the internet into our daily lives, lots of our personal information is available online. In many cases, this can make discovering the answer to these questions much easier than ever before, and therefore your accounts less secure.

For example, some services will only let you choose your security question from a small set of question, e.g. Mother’s maiden name, Father’s middle name, Favourite Pet, Place you were born. Etc.

The answers to these questions will be known to many people close to you, and therefore provide weak security for your personal information.

We recommend investigating what Security Questions you currently have set, and changing them to something more obscure if they are too easy.

Most email providers now also offer other ways to access your account if you forget your password, including SMS, alternative email addresses, and ‘Trusted PCs’. Choose which is most appropriate for you and think carefully about who else might be able to gain access to your accounts this way. Remember that if you don’t take the proper precautionary steps now, you might not be able to access your account if you get hacked.

Step 9.

Sign up for a BreachAlarm Email Watchdog account (if you haven’t already)

BreachAlarm’s Email Watchdog service allows you track all of your email addresses. This means that if we discover that your email address has been released by hackers in future breaches, we’ll immediately notify you so that you can change your passwords before your accounts are compromised.

We also provide domain-level monitoring with Business Watchdog, so that you can keep an eye out for all emails ending in ‘@yourcompany.com’. This is a great way to help protect your business from security breaches. Is anyone putting your workplace security at risk?

Step 10.

Help your family and friends stay safe online

Okay, now that you’ve recovered your email account, changed your passwords, and learned about password security, it’s time to help out your family and friends.

Make sure they check their email addresses at breachalarm.com and sign up for an Email Watchdog account to help protect them from future breaches.

Feel free to follow us on Twitter or Facebook to keep up to date with the latest news, features, and any new security breaches.