Not usually, no.

As long as you can still log in to your account, there’s no need to get a new address just because your email address was included in a breach.
There are steps you should take, but getting a new account is not one of them.
If you can’t log in to your email account anymore, though, you may have no other choice.
Become a Patron of Ask Leo! and go ad-free!

If your email's in a breach
If your email address shows up in a breach, you rarely need a new address. Just change your password for the site that was hacked, and turn on two-factor authorization if you can. As long as you still have access, you’re fine. Stay alert, but don’t panic.
If you can’t log in
If you can’t log in to your email account and you’ve pursued all the approaches to recover access, it’s not your account anymore. Email Hacked? 7 Things You Need to Do NOW covers the steps you need to take.
Whether or not it’s related to any reported breach doesn’t matter. Regardless of how it happened, you’ve lost access to your account.
When that happens, you have no other option; you’ll need to get a new account and let your contacts know you have a new email address.
If you know which service was breached
If you learn that your email address is part of a breach, and you know which service was breached, the most important step to take is simple.
Change your password with that service.
Change it to a long, strong password you don’t use anywhere else.
It’s the bare minimum you need to do, but many times, it’s all you need to do. You don’t need a new email account or address because of it.
If you don’t know which service was breached
This is a more difficult scenario:
- You learn your email address was discovered in a data breach.
- There’s no information about exactly which online service(s) the breach came from.
When this happens, I do two things.
- I change my email password in case it was my email provider that was breached. This is probably unnecessary and exceptionally rare, but I’d rather be safe.
- I start watching for odd behavior on all other accounts that the email address is associated with (either as login ID or as primary/alternate email).
That last point is frustratingly vague, but it’s the best we can do.
And, honestly, it’s what we should do whether our email addresses show up in breaches or not.
Additional security
I generally don’t panic when news of yet another breach appears because I apply strong security to all my accounts.
- Using strong passwords significantly reduces the probability that they could be cracked in a breach.
- Using different passwords everywhere means that when one breach happens, it can only impact the one account that’s been breached.
- Using two-factor authentication means that even if my password is discovered, any attempts by others to use it will fail.
I strongly recommend you do the same, starting with your email account.
But there’s no need to get a new email address because of a breach.
Do this
The bottom line is simple: maintain strong security to begin with, and breaches become a much less serious event. If you can track down which breached service included your email address, you can always change your password there for additional safety. Otherwise, just keep your guard up as normal.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Saw this online one of the latest scams to bypass two-factor authentication is
“Somebody called me with this phone number {phone number removed} telling me he was doing some registration online and he mistakenly put my number on what he was registering, that my number is similar to his number and that the password of what he was registering was sent to my phone which I actually saw as {removed}.
He was now appealing to me to give him the reset code that was sent to my phone so that he could finish his registration. I told him to call me with the number he claimed was similar to mine so that I could verify his claim, he told me he didn’t have credit in that line.”
I wouldn’t give him the code. This sounds like a phishing attack to get access to your account. If he had accidentally put in the wrong number, he could just request a new access code. All websites allow you to request a new code.
I’d NEVER give someone a code. My guess is it’s totally a scam trying to get into YOUR account.
I believe keychain can report reused passwords in OS X. Can windows do same?
Thanks guys.
Windows doesn’t have its own keychain. Various password vaults from third parties will report on it though.
Somewhere — for the life of me, I cannot find the place where, (or I’d post this there instead of here), you said, “Breach and breach, what is breach?”
To which I, of course, reply in due form: “You are not morg, you are not eyemorg!” 🙂 🙂 🙂
Was in this week’s newsletter: https://newsletter.askleo.com/ask-leo-747-do-i-need-a-new-email-address-if-mines-involved-in-a-breach/
Part of the problem here is that so many sites want you to use an e-mail address as the userid for their site.
Ideally you should have a different userid for every site just as you should have a unique password for that site.
That reduces the apparent commonality of your identity across sites.
Keeping track of the different userids becomes a task for your password manager.
A site needing a way to contact you (even if it is to reset access credentials) should verify your contact details (e-mail, phone no…) and then store them securely (encrypted) to reduce the risk of the e-mail address being publicly available as a result of a hacking operation.
Some people I know use a different e-mail address for very sensitive sites (generally financial) from the address used fir day-to-day usage.
While this is “security by obscurity” it does reduce your attack surface presented to a hacker.
Using a unique user-ID offers an insignificant security advantage. A long strong password is the best protection for your account. Even adding one character to a password is hundreds of times better than using unique user-IDs.
I use a different email address for each online account. They are provided to me by an alias and remailing service. My main one is Anonaddy now, but I have used 33 Mail and Spamex in the past (don’t use Spamex anymore : it’s obsolete and unsafe).
The huge advantage is it kills spams in its tracks. Preventing spam is a security measure of sorts, since spam is a huge annoyance to begin with. But it may also bring malware, scam attempts, phishing attempts, ransomware…
Once one has made a habit of using unique and strong passwords, I would advise to start practising unique email aliases. The added peace of mind is invaluable. Not to mention that Anonaddy and 33 Mail have very generous free plans. Simple Login can be considered if one is ready to pay.
It’s not, however, a means of adding security in the sense of preventing hackers from knowing your user name. This would be rather futile. Even unique email addresses are meant to be public.