The 72-hour rule: What to do in the first 3 days after a data breach

You just got the email. "Your account may have been affected by a data breach."

Your heart sinks. You know you should do something. But what? And how fast?

The next 72 hours are critical. Here's exactly what to do.

Why 72 hours matters

Attackers work fast. When credentials leak:

• Within 1 hour: Data is shared or sold on underground forums
• Within 24 hours: Credential stuffing attacks begin testing your logins across sites
• Within 48 hours: Account takeovers accelerate as attackers find working combinations
• Within 72 hours: Secondary attacks launch using access from compromised accounts

This isn't hypothetical. Studies show that the median time from breach to exploitation is shrinking. Attackers have automated tooling that tests leaked credentials against thousands of sites simultaneously.

The 72-hour window is when you can still get ahead of them.

Hour 0-24: Critical actions

The first 24 hours are about stopping the bleeding. Focus on your most valuable accounts.

Immediately: Secure your email

Your email is the master key. It's how you reset passwords everywhere else. Attackers know this—email is always their first target.

Do now:

1. Change your email password — Use a new, unique password (20+ characters)
2. Enable 2FA — Use an authenticator app, not SMS
3. Check for forwarding rules — Attackers often add silent forwarding to monitor password resets
4. Review recent activity — Look for logins from unknown locations

If your email was directly breached (e.g., the breach was at Gmail or your email provider), consider moving to a new email address entirely.

Within 2 hours: Financial accounts

Banks, credit cards, PayPal, Venmo, investment accounts. Money is the attacker's goal.

Do now:

1. Change passwords on all financial accounts
2. Enable 2FA everywhere it's offered
3. Set up transaction alerts — Get notified of any activity
4. Check recent transactions — Look for anything suspicious

Within 4 hours: Critical accounts

Social media, cloud storage, password managers, work accounts.

Do now:

1. Change your password manager master password
2. Review active sessions — Log out of unknown devices
3. Update recovery options — Phone number, backup email

Within 8 hours: Start the password cascade

If you reuse passwords (most people do), every account with that password is now compromised.

Option A: Manual changes (slow)

• Prioritize: Financial → Email → Social → Shopping → Everything else
• Expect 3-5 minutes per site
• For 50 accounts: 4-6 hours

Option B: Automated changes (fast)

• Tools like Dosel can handle bulk changes
• Expect 30-60 minutes for 50 accounts
• AI navigates each site automatically

Within 24 hours: Identity monitoring

Set up alerts that will warn you if your information is used.

Do now:

1. Have I Been Pwned — Sign up at haveibeenpwned.com for future breach notifications
2. Credit monitoring — Consider a free service like Credit Karma
3. Freeze your credit — At all three bureaus (Equifax, Experian, TransUnion) if the breach included SSN/personal data

Hour 24-48: Extend protection

The immediate fires are out. Now expand your security perimeter.

Complete password changes

Finish changing passwords for:

• Shopping sites (Amazon, eBay, etc.)
• Subscription services (Netflix, Spotify, etc.)
• Forums and community sites
• Gaming platforms
• Utility accounts

Review account recovery options

Attackers often compromise recovery mechanisms, not passwords.

Check each critical account for:

• Recovery phone number — Is it still yours?
• Recovery email — Is it still accessible?
• Security questions — Change if answers are guessable
• Trusted devices — Remove any you don't recognize
• App passwords — Revoke old ones

Check for secondary exposure

Your leaked data may enable other attacks.

Hour 48-72: Long-term security

With the crisis managed, establish ongoing protection.

Document everything

Create a record of:

• Which breach affected you
• When you learned of it
• What data was exposed
• Actions you took and when
• Accounts you changed

This documentation matters if you need to dispute fraudulent charges, file an identity theft report, or take legal action.

Implement password hygiene

If this breach caught you with reused passwords, fix the root cause.

New password practices:

1. One unique password per site — No exceptions
2. Use a password manager — Let it generate and store passwords
3. Enable 2FA everywhere — Authenticator app preferred over SMS
4. Regular rotation — Critical accounts every 6 months

Set up ongoing monitoring

Free options:

• Have I Been Pwned notifications
• Google Password Checkup
• Firefox Monitor
• Credit Karma

Paid options:

• Identity theft protection services
• Dark web monitoring
• Credit freeze/thaw services

The 72-hour checklist

Print this. Check it off.

First 24 hours (critical)

• Change email password
• Enable email 2FA
• Check email forwarding rules
• Change financial account passwords
• Enable financial account 2FA
• Set up transaction alerts
• Change password manager master password
• Begin bulk password changes

24-48 hours (important)

• Complete password changes for all accounts
• Review recovery options on critical accounts
• Remove unrecognized trusted devices
• Set up Have I Been Pwned notifications
• Consider credit freeze if personal data exposed

48-72 hours (secure)

• Document all actions taken
• Set up ongoing monitoring
• Review and improve password practices
• Test that all changed passwords work
• Delete any temporary password lists or exports

What to do if you're already compromised

If you discover the attackers got there first:

Account already taken over

1. Use account recovery — "Forgot password" with your recovery email
2. Contact support — With proof of identity
3. Check linked accounts — Attackers often pivot to connected services
4. Report fraud — To the platform and potentially to authorities

Money already stolen

1. Contact your bank immediately — Most have 24/7 fraud lines
2. Dispute transactions — Within the timeframe required (usually 60 days)
3. File a police report — Required for some dispute processes
4. Report to FTC — At identitytheft.gov

Identity already misused

1. File FTC identity theft report — Creates a recovery plan
2. Freeze credit at all bureaus — Immediately
3. Place fraud alerts — On all credit reports
4. Review all accounts — Bank, credit, government benefits

Why automation helps in a crisis

When you're in the 72-hour window, time matters more than anything.

Those saved hours could mean the difference between securing your accounts before attackers get to them, or after.

Frequently asked questions

How do I know if I was in a breach?

Check haveibeenpwned.com with your email address. If you received a breach notification email, verify it's legitimate by going directly to the company's website (don't click links in the email).

Should I change passwords for every account?

If you reused the breached password anywhere, yes. If every password was unique, you only need to change the directly affected account plus any accounts that used it for recovery.

Is 72 hours really enough time?

It's enough time to address the most critical risks. Some cleanup (minor accounts, documentation) can extend beyond 72 hours, but the critical security actions should be complete within that window.

What if I don't have time for all this?

Focus on the most valuable accounts first. Email, banking, and password manager are non-negotiable. Everything else can wait if needed—but don't let it wait more than a week.

Stop dreading breach response

Dosel automates the hardest part of breach response—changing dozens of passwords quickly. Local AI means your credentials never leave your Mac.

• 50 passwords in 30 minutes instead of 4+ hours
• Zero-knowledge architecture — passwords never transmitted
• Works with any password manager — import CSV, export updated CSV

Download Dosel → — 5 free automated password changes per month, no credit card required.

The 72-hour window closes faster than you think. Act now, secure later.