Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Do I Need a New Email Address if Mine’s Involved in a Breach?


My email address was in one of breaches we keep hearing about. Is that address still safe to use? Should I get a new email address?

There’s no need to get a new address just because your email account was part of a breach — as long as you can still log in to your account.

There are steps you should take, but that’s not one of them.

If you can’t log in to your email account any more, though, you may have no other choice.

Become a Patron of Ask Leo! and go ad-free!

  • If you can log in to your email account, you don’t need a new email address.
  • If you can’t log in, and you can’t recover access, then you do.
  • Specific breach-related steps depend on what’s known about the breach.
  • Strong vigilance and security for all accounts are the best ways to prevent problems.

If you can’t log in

Hacker hackingIf you can’t log in to your email account and you’ve pursued all the approaches to recover access … well, it’s not your account any more. Email Hacked? 7 Things You Need to Do NOW covers the basics of what you need to do and the steps you need to take.

Whether or not it’s related to any reported breach doesn’t matter. Regardless of how it happened, you’ve lost access to your account.

When that happens, you really have no other option; you’ll need to get a new account and let your contacts know you have a new email address.

If you know the breached service

If you learn that your email address is part of a breach, and you know which service was breached, the most important step to take is simple.

Change your password.

Change your password at that breached service as soon as you can. Change it to a long and strong password you don’t use anywhere else.

It’s the bare minimum you need to do, and in many cases, it’s really all you need to do — but you don’t need a new email account because of it.

If you don’t know the breached service

This is a more difficult scenario: you learn your email address was discovered in a data breach, but there’s no indication of exactly which online service(s) were breached.

When this happens, I do two things:

  1. I change my email password, just in case it was my email provider that was breached. This is probably unnecessary and exceptionally rare, but I’d rather be safe.
  2. I start watching for odd behavior on all other accounts that email address is associated with, either as login ID or as primary/alternate email.

That last point is frustratingly vague, but it’s the best we can do.

And, honestly, it’s what we should be doing whether our email addresses show up in breaches or not.

Additional security

I generally don’t panic when news of yet-another-breach appears, because I apply strong security to all my accounts. That means:

  • Strong passwords, which significantly reduce the probability they could be cracked in a breach.
  • Different passwords everywhere, so that when one breach happens it can only impact the account that’s been breached.
  • Two-factor authentication, so that even if my password is discovered, any attempts by others to use it will fail.

I strongly recommend you do the same, starting with your email account.

But there’s no need to get a new email address because of a breach.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio


Video Narration

10 comments on “Do I Need a New Email Address if Mine’s Involved in a Breach?”

  1. Saw this online one of the latest scams to bypass two-factor authentication is

    “Somebody called me with this phone number {phone number removed} telling me he was doing some registration online and he mistakenly put my number on what he was registering, that my number is similar to his number and that the password of what he was registering was sent to my phone which I actually saw as {removed}.
    He was now appealing to me to give him the reset code that was sent to my phone so that he could finish his registration. I told him to call me with the number he claimed was similar to mine so that I could verify his claim, he told me he didn’t have credit in that line.”

  2. Somewhere — for the life of me, I cannot find the place where, (or I’d post this there instead of here), you said, “Breach and breach, what is breach?”

    To which I, of course, reply in due form: “You are not morg, you are not eyemorg!” :) :) :)

  3. Part of the problem here is that so many sites want you to use an e-mail address as the userid for their site.

    Ideally you should have a different userid for every site just as you should have a unique password for that site.
    That reduces the apparent commonality of your identity across sites.
    Keeping track of the different userids becomes a task for your password manager.

    A site needing a way to contact you (even if it is to reset access credentials) should verify your contact details (e-mail, phone no…) and then store them securely (encrypted) to reduce the risk of the e-mail address being publicly available as a result of a hacking operation.

    Some people I know use a different e-mail address for very sensitive sites (generally financial) from the address used fir day-to-day usage.
    While this is “security by obscurity” it does reduce your attack surface presented to a hacker.

    • Using a unique user-ID offers an insignificant security advantage. A long strong password is the best protection for your account. Even adding one character to a password is hundreds of times better than using unique user-IDs.

  4. I use a different email address for each online account. They are provided to me by an alias and remailing service. My main one is Anonaddy now, but I have used 33 Mail and Spamex in the past (don’t use Spamex anymore : it’s obsolete and unsafe).

    The huge advantage is it kills spams in its tracks. Preventing spam is a security measure of sorts, since spam is a huge annoyance to begin with. But it may also bring malware, scam attempts, phishing attempts, ransomware…

    Once one has made a habit of using unique and strong passwords, I would advise to start practising unique email aliases. The added peace of mind is invaluable. Not to mention that Anonaddy and 33 Mail have very generous free plans. Simple Login can be considered if one is ready to pay.

    It’s not, however, a means of adding security in the sense of preventing hackers from knowing your user name. This would be rather futile. Even unique email addresses are meant to be public.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.