A useful stopping point: secure your primary email, remove password reuse from high-impact accounts, and save the rest as a checklist. You do not have to fix your entire digital life in one sitting.
What the match does—and does not—prove
A password exposure service compares a fingerprint of the password against fingerprints found in known leaked lists. A match means the password should no longer be considered secret. It does not prove that a particular account was accessed, and a clean result does not prove a password is strong.
Attackers use automated credential stuffing to try known email-and-password combinations across many services. Reuse is what turns one company’s breach into a problem everywhere.
Change accounts in the order that limits damage
Start with your primary email because it can reset other accounts. Continue with banking, payment, work, cloud storage, mobile carrier, and government services. Social and shopping accounts come next, followed by low-value or old accounts.
On each account, use a fresh password generated by a password manager. Check recent sessions and security activity before moving on.
- Replace the exposed password anywhere it is still used.
- Never make a small variation such as adding the current year.
- Revoke unknown sessions and connected applications.
- Update weak or outdated recovery questions.
Find reuse without keeping the old password around
Many password managers can identify reused credentials without showing the password in plain text. If you do not have one, build a category list from apps on your devices and account messages in your inbox. Mark each account as you replace it.
Do not email the password to yourself, place it in a spreadsheet, or type it into unknown “strength checker” sites. Once the known uses are replaced, delete any note containing it.
Prefer sign-in methods that cannot be reused
Passkeys are tied to the service and resist ordinary phishing. When passkeys are unavailable, use a long generated password and an authenticator app. Text-message codes are still better than password-only access, but they depend on the security of your phone account.
Keep recovery codes somewhere separate from the device you use every day, such as a secure password-manager note or a physically protected copy.
Quick answers
Questions people ask next
Is changing one character enough after a password breach?
No. Predictable variations are easy to test. Replace the password with a completely new, unique value generated independently.
Do I need to change a breached password if I no longer use the account?
Delete the old account if possible. More importantly, change every active account that reused the same password or a close variation.
Can I safely check a password online?
Use a service that hashes the password in your browser and sends only a short hash prefix for range matching. Never send the raw password to a checker.