My email address was in one of breaches we keep hearing about. Is that address still safe to use? Should I get a new email address?
There’s no need to get a new address just because your email account was part of a breach — as long as you can still log in to your account.
There are steps you should take, but that’s not one of them.
If you can’t log in to your email account any more, though, you may have no other choice.
Become a Patron of Ask Leo! and go ad-free!
- If you can log in to your email account, you don’t need a new email address.
- If you can’t log in, and you can’t recover access, then you do.
- Specific breach-related steps depend on what’s known about the breach.
- Strong vigilance and security for all accounts are the best ways to prevent problems.
If you can’t log in
Whether or not it’s related to any reported breach doesn’t matter. Regardless of how it happened, you’ve lost access to your account.
When that happens, you really have no other option; you’ll need to get a new account and let your contacts know you have a new email address.
If you know the breached service
If you learn that your email address is part of a breach, and you know which service was breached, the most important step to take is simple.
Change your password.
Change your password at that breached service as soon as you can. Change it to a long and strong password you don’t use anywhere else.
It’s the bare minimum you need to do, and in many cases, it’s really all you need to do — but you don’t need a new email account because of it.
If you don’t know the breached service
This is a more difficult scenario: you learn your email address was discovered in a data breach, but there’s no indication of exactly which online service(s) were breached.
When this happens, I do two things:
- I change my email password, just in case it was my email provider that was breached. This is probably unnecessary and exceptionally rare, but I’d rather be safe.
- I start watching for odd behavior on all other accounts that email address is associated with, either as login ID or as primary/alternate email.
That last point is frustratingly vague, but it’s the best we can do.
And, honestly, it’s what we should be doing whether our email addresses show up in breaches or not.
Additional security
I generally don’t panic when news of yet-another-breach appears, because I apply strong security to all my accounts. That means:
- Strong passwords, which significantly reduce the probability they could be cracked in a breach.
- Different passwords everywhere, so that when one breach happens it can only impact the account that’s been breached.
- Two-factor authentication, so that even if my password is discovered, any attempts by others to use it will fail.
I strongly recommend you do the same, starting with your email account.
But there’s no need to get a new email address because of a breach.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Video Narration
Saw this online one of the latest scams to bypass two-factor authentication is
“Somebody called me with this phone number {phone number removed} telling me he was doing some registration online and he mistakenly put my number on what he was registering, that my number is similar to his number and that the password of what he was registering was sent to my phone which I actually saw as {removed}.
He was now appealing to me to give him the reset code that was sent to my phone so that he could finish his registration. I told him to call me with the number he claimed was similar to mine so that I could verify his claim, he told me he didn’t have credit in that line.”
I wouldn’t give him the code, but more for his protection than yours. If you give him the code, you would have access to his account, and if he ever got locked out, he’d have to call you again to get back in. He should be able to get back into that website and register with the correct information.
I’d NEVER give someone a code. My guess is it’s totally a scam trying to get into YOUR account.
I believe keychain can report reused passwords in OS X. Can windows do same?
Thanks guys.
Windows doesn’t have its own keychain. Various password vaults from third parties will report on it though.
Why don’t more services offer your email address as a part of 2fa?
Mike Wilhelm :-)
Because it’s additional work? No way to know. Why don’t more services offer 2fa is perhaps an even more important question.
Somewhere — for the life of me, I cannot find the place where, (or I’d post this there instead of here), you said, “Breach and breach, what is breach?”
To which I, of course, reply in due form: “You are not morg, you are not eyemorg!” :) :) :)
Was in this week’s newsletter: https://newsletter.askleo.com/ask-leo-747-do-i-need-a-new-email-address-if-mines-involved-in-a-breach/
Part of the problem here is that so many sites want you to use an e-mail address as the userid for their site.
Ideally you should have a different userid for every site just as you should have a unique password for that site.
That reduces the apparent commonality of your identity across sites.
Keeping track of the different userids becomes a task for your password manager.
A site needing a way to contact you (even if it is to reset access credentials) should verify your contact details (e-mail, phone no…) and then store them securely (encrypted) to reduce the risk of the e-mail address being publicly available as a result of a hacking operation.
Some people I know use a different e-mail address for very sensitive sites (generally financial) from the address used fir day-to-day usage.
While this is “security by obscurity” it does reduce your attack surface presented to a hacker.