My email address was in one of breaches we keep hearing about. Is that address still safe to use? Should I get a new email address?
There’s no need to get a new address just because your email account was part of a breach — as long as you can still log in to your account.
There are steps you should take, but that’s not one of them.
If you can’t log in to your email account any more, though, you may have no other choice.
Become a Patron of Ask Leo! and go ad-free!
- If you can log in to your email account, you don’t need a new email address.
- If you can’t log in, and you can’t recover access, then you do.
- Specific breach-related steps depend on what’s known about the breach.
- Strong vigilance and security for all accounts are the best ways to prevent problems.
If you can’t log in
If you can’t log in to your email account and you’ve pursued all the approaches to recover access … well, it’s not your account any more. Email Hacked? 7 Things You Need to Do NOW covers the basics of what you need to do and the steps you need to take.
Whether or not it’s related to any reported breach doesn’t matter. Regardless of how it happened, you’ve lost access to your account.
When that happens, you really have no other option; you’ll need to get a new account and let your contacts know you have a new email address.
If you know the breached service
If you learn that your email address is part of a breach, and you know which service was breached, the most important step to take is simple.
Change your password.
Change your password at that breached service as soon as you can. Change it to a long and strong password you don’t use anywhere else.
It’s the bare minimum you need to do, and in many cases, it’s really all you need to do — but you don’t need a new email account because of it.
If you don’t know the breached service
This is a more difficult scenario: you learn your email address was discovered in a data breach, but there’s no indication of exactly which online service(s) were breached.
When this happens, I do two things:
- I change my email password, just in case it was my email provider that was breached. This is probably unnecessary and exceptionally rare, but I’d rather be safe.
- I start watching for odd behavior on all other accounts that email address is associated with, either as login ID or as primary/alternate email.
That last point is frustratingly vague, but it’s the best we can do.
And, honestly, it’s what we should be doing whether our email addresses show up in breaches or not.
I generally don’t panic when news of yet-another-breach appears, because I apply strong security to all my accounts. That means:
- Strong passwords, which significantly reduce the probability they could be cracked in a breach.
- Different passwords everywhere, so that when one breach happens it can only impact the account that’s been breached.
- Two-factor authentication, so that even if my password is discovered, any attempts by others to use it will fail.
I strongly recommend you do the same, starting with your email account.
But there’s no need to get a new email address because of a breach.