← All posts
1Identify affected2Priority rank3Change critical4Change remaining5Enable 2FA6MonitorUrgentStandard
7 min read

How to Change All Your Passwords After a Data Breach (2026 Guide)

Step-by-step guide to changing 50+ passwords after a breach. Priority order, time-saving tips, and free AI automation tool. Protect your accounts fast.

data-breach-responsepassword-securitybulk-password-changebreach-recoverypassword-automation

A data breach notification just hit your inbox. Your credentials are "potentially compromised." Now you need to change passwords—but where do you start, and how do you do it quickly?

We've helped thousands of users recover from breaches. Here's the exact process we recommend.

Why speed matters

Every hour you wait, attackers are testing your credentials across hundreds of sites. They use automated tools called "credential stuffing" that try your email/password combo on banking sites, email providers, and shopping platforms within minutes of a breach going public.

The timeline of a breach:

  • 0-24 hours: Attackers test high-value targets (banking, email, crypto)
  • 24-72 hours: Broader testing begins (social media, shopping, streaming)
  • 72+ hours: Your credentials enter public databases, available to anyone

Your goal: change passwords before attackers get to your accounts.

Priority order: what to change first

Not all accounts are equal. Change these in order:

Tier 1: Email (within 1 hour)

Your email is the master key to everything else. Password reset emails go here. If an attacker controls your email, they can reset any other password.

Change immediately:

  • Primary email (Gmail, Outlook, iCloud)
  • Work email
  • Any email used for financial accounts

Tier 2: Financial (within 2-4 hours)

Money is the target. Protect accounts with access to cash or payment methods.

Change next:

  • Bank accounts
  • Credit card portals
  • Investment accounts (Fidelity, Schwab, Robinhood)
  • Crypto exchanges
  • PayPal, Venmo, Cash App

Tier 3: Shopping with saved payment (within 24 hours)

Sites with your credit card on file:

  • Amazon
  • eBay
  • Target, Walmart, etc.
  • Food delivery apps
  • Subscription services

Tier 4: Social media (within 24-48 hours)

Attackers use compromised social accounts for identity theft and phishing:

  • Facebook/Meta
  • Instagram
  • Twitter/X
  • LinkedIn
  • TikTok

Tier 5: Everything else (within 1 week)

All remaining accounts, especially any where you reused the breached password.

The manual approach (4-8 hours)

If you're doing this manually, here's what to expect:

Per account:

  1. Navigate to site
  2. Log in (hope you remember the password)
  3. Find settings/security page (every site is different)
  4. Click "Change password"
  5. Enter old password
  6. Generate new password
  7. Enter new password twice
  8. Save
  9. Update password manager
  10. Repeat

Time per account: 5-10 minutes

For 50 accounts: 4-8 hours of tedious work

By account 20, you'll be tempted to reuse passwords or use weaker ones. This is exactly what causes the next breach.

The automated approach (30 minutes)

Dosel automates this entire process:

  1. Import passwords from your current manager (1 minute)
  2. Select accounts to change (2 minutes)
  3. Run automation (AI handles the rest)
  4. Export updated passwords back to your manager (1 minute)

Time per account: ~30 seconds (AI handles navigation, form filling, password generation)

For 50 accounts: 25-30 minutes, mostly hands-free

You watch the AI work while you do something else. No fatigue, no weak password temptation.

Step-by-step: manual password change

If you don't want to use automation, here's how to do it efficiently:

Step 1: Export your password list

Export all passwords from your current manager:

  • Chrome: Settings → Passwords → Export
  • 1Password: File → Export → CSV
  • Bitwarden: Tools → Export Vault → CSV
  • LastPass: Advanced Options → Export

Step 2: Prioritize by risk

Open the CSV in a spreadsheet. Sort by:

  1. Financial sites first
  2. Email providers second
  3. Sites where you reused the breached password

Step 3: Use a password generator

Don't make up passwords. Use your password manager's generator or a site like Bitwarden Generator.

Requirements:

  • 16+ characters
  • Mix of letters, numbers, symbols
  • Unique per account (never reuse)

Step 4: Change and record

For each account:

  1. Open the site
  2. Find password change (usually Settings → Security)
  3. Generate new password
  4. Update in your password manager
  5. Test login with new password
  6. Move to next account

Step 5: Enable 2FA

While you're in security settings, enable two-factor authentication on any account that supports it. Prioritize:

  • Email
  • Financial
  • Social media

Common mistakes to avoid

Mistake 1: Reusing the new password

You just spent hours changing passwords. Don't use the same new password everywhere. That defeats the purpose.

Mistake 2: Using predictable patterns

If your old password was Summer2025!, don't make the new one Winter2026!. Attackers try pattern variations.

Mistake 3: Skipping "less important" accounts

That old forum account you forgot about? It probably has the same password as more important accounts. Change everything.

Mistake 4: Not updating your password manager

Changed the password on the site but forgot to update your manager? Now you're locked out.

Mistake 5: Ignoring 2FA

Passwords are one layer. 2FA is the second. Enable it everywhere.

What if you're already locked out?

If attackers got there first:

  1. Use account recovery: Most sites have "Forgot password" flows
  2. Contact support: Banks and major platforms have fraud departments
  3. Check email for unauthorized activity: Look for password reset emails you didn't request
  4. Freeze credit: If financial data was breached, freeze credit with Equifax, Experian, TransUnion

Preventing the next breach

After you've recovered, implement these practices:

  1. Use unique passwords everywhere (password manager required)
  2. Enable 2FA on all accounts (app-based, not SMS)
  3. Check Have I Been Pwned periodically
  4. Rotate passwords annually (or use automation)
  5. Use a zero-knowledge password manager like Bitwarden or 1Password

If you're using Google Password Manager, consider migrating to a zero-knowledge option. Google can technically access your passwords; Bitwarden cannot.

Frequently asked questions

How do I know if my password was in a breach?

Check Have I Been Pwned by entering your email. It shows which breaches included your email address.

Should I change ALL my passwords or just the breached account?

If you reused the breached password anywhere, change all instances. If you used unique passwords, you can focus on the breached account.

Do I need to change passwords if I have 2FA enabled?

Yes. 2FA is a second layer, not a replacement. Attackers with your password can still attempt account recovery or social engineering.

How often should I change passwords normally?

With unique passwords and 2FA, annual rotation is sufficient. After a breach, change immediately.

Can I use the same password manager after a breach?

Yes, unless the breach was of your password manager. If your manager was breached (like LastPass in 2022), consider switching to a different provider.

Take action now

Don't let this email sit in your inbox. Start changing passwords now:

Manual approach:

  1. Export passwords from your manager
  2. Prioritize financial and email accounts
  3. Change one by one (4-8 hours total)

Automated approach:

  1. Download Dosel (free for Mac)
  2. Import your passwords
  3. Let AI change them (~30 minutes)

The free tier includes 5 password changes per month—enough to cover your most critical accounts after a breach.

Download Dosel →

Related guides

Questions about breach recovery? Contact hello@dosel.app.

Protect your passwords with AI-powered automation.

Download Dosel