My email address was in one of breaches we keep hearing about. Is that address still safe to use? Should I get a new email address?
There’s no need to get a new address just because your email account was part of a breach — as long as you can still log in to your account.
There are steps you should take, but that’s not one of them.
If you can’t log in to your email account any more, though, you may have no other choice.
Become a Patron of Ask Leo! and go ad-free!
- If you can log in to your email account, you don’t need a new email address.
- If you can’t log in, and you can’t recover access, then you do.
- Specific breach-related steps depend on what’s known about the breach.
- Strong vigilance and security for all accounts are the best ways to prevent problems.
If you can’t log in
Whether or not it’s related to any reported breach doesn’t matter. Regardless of how it happened, you’ve lost access to your account.
When that happens, you really have no other option; you’ll need to get a new account and let your contacts know you have a new email address.
If you know the breached service
If you learn that your email address is part of a breach, and you know which service was breached, the most important step to take is simple.
Change your password.
Change your password at that breached service as soon as you can. Change it to a long and strong password you don’t use anywhere else.
It’s the bare minimum you need to do, and in many cases, it’s really all you need to do — but you don’t need a new email account because of it.
If you don’t know the breached service
This is a more difficult scenario: you learn your email address was discovered in a data breach, but there’s no indication of exactly which online service(s) were breached.
When this happens, I do two things:
- I change my email password, just in case it was my email provider that was breached. This is probably unnecessary and exceptionally rare, but I’d rather be safe.
- I start watching for odd behavior on all other accounts that email address is associated with, either as login ID or as primary/alternate email.
That last point is frustratingly vague, but it’s the best we can do.
And, honestly, it’s what we should be doing whether our email addresses show up in breaches or not.
Additional security
I generally don’t panic when news of yet-another-breach appears, because I apply strong security to all my accounts. That means:
- Strong passwords, which significantly reduce the probability they could be cracked in a breach.
- Different passwords everywhere, so that when one breach happens it can only impact the account that’s been breached.
- Two-factor authentication, so that even if my password is discovered, any attempts by others to use it will fail.
I strongly recommend you do the same, starting with your email account.
But there’s no need to get a new email address because of a breach.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Video Narration
Saw this online one of the latest scams to bypass two-factor authentication is
“Somebody called me with this phone number {phone number removed} telling me he was doing some registration online and he mistakenly put my number on what he was registering, that my number is similar to his number and that the password of what he was registering was sent to my phone which I actually saw as {removed}.
He was now appealing to me to give him the reset code that was sent to my phone so that he could finish his registration. I told him to call me with the number he claimed was similar to mine so that I could verify his claim, he told me he didn’t have credit in that line.”
I wouldn’t give him the code. This sounds like a phishing attack to get access to your account. If he had accidentally put in the wrong number, he could just request a new access code. All websites allow you to request a new code.
I’d NEVER give someone a code. My guess is it’s totally a scam trying to get into YOUR account.
I believe keychain can report reused passwords in OS X. Can windows do same?
Thanks guys.
Windows doesn’t have its own keychain. Various password vaults from third parties will report on it though.
Somewhere — for the life of me, I cannot find the place where, (or I’d post this there instead of here), you said, “Breach and breach, what is breach?”
To which I, of course, reply in due form: “You are not morg, you are not eyemorg!” :) :) :)
Was in this week’s newsletter: https://newsletter.askleo.com/ask-leo-747-do-i-need-a-new-email-address-if-mines-involved-in-a-breach/
Part of the problem here is that so many sites want you to use an e-mail address as the userid for their site.
Ideally you should have a different userid for every site just as you should have a unique password for that site.
That reduces the apparent commonality of your identity across sites.
Keeping track of the different userids becomes a task for your password manager.
A site needing a way to contact you (even if it is to reset access credentials) should verify your contact details (e-mail, phone no…) and then store them securely (encrypted) to reduce the risk of the e-mail address being publicly available as a result of a hacking operation.
Some people I know use a different e-mail address for very sensitive sites (generally financial) from the address used fir day-to-day usage.
While this is “security by obscurity” it does reduce your attack surface presented to a hacker.
Using a unique user-ID offers an insignificant security advantage. A long strong password is the best protection for your account. Even adding one character to a password is hundreds of times better than using unique user-IDs.
I use a different email address for each online account. They are provided to me by an alias and remailing service. My main one is Anonaddy now, but I have used 33 Mail and Spamex in the past (don’t use Spamex anymore : it’s obsolete and unsafe).
The huge advantage is it kills spams in its tracks. Preventing spam is a security measure of sorts, since spam is a huge annoyance to begin with. But it may also bring malware, scam attempts, phishing attempts, ransomware…
Once one has made a habit of using unique and strong passwords, I would advise to start practising unique email aliases. The added peace of mind is invaluable. Not to mention that Anonaddy and 33 Mail have very generous free plans. Simple Login can be considered if one is ready to pay.
It’s not, however, a means of adding security in the sense of preventing hackers from knowing your user name. This would be rather futile. Even unique email addresses are meant to be public.