> Blog_

Hacked, Breached, or Password Leaked? Exactly What To Do Next

DarkStrata Security Team

A password leaked, an account hijacked, or a full-blown breach — the first few hours decide how bad it gets. We've published a comprehensive UK guide for individuals and businesses, from changing the right passwords first to the ICO's 72-hour reporting rule. Here's the short version.

It usually starts with a single notification. A login you didn't make. A password-reset email you didn't ask for. Or a message from a company you'd half-forgotten you had an account with, admitting they've been breached. In that moment, what you do next genuinely matters — the first few hours decide how far the damage spreads.

So we've written it all down. Today we're publishing a comprehensive, evergreen UK Data Breach Response guide — a clear playbook for both individuals and businesses. This post is the short version.

First, don't panic — but move fast

Most account takeovers trace back to one of four things: infostealer malware on a device, a third-party breach at a company you use, a phishing page that captured your login, or an old reused password fired at a login screen by an automated tool. Knowing which one you're facing shapes your response — but the immediate steps are similar, and the sooner you take them, the less an attacker can do.

If it happened to you

For individuals, the priority order is what matters. Don't change everything at once — start where it counts:

  • Email first, then banking. Your email is the master key: whoever controls it can reset everything else.
  • Change the leaked password — and anywhere you reused it. Reuse is what turns one leak into many.
  • Turn on two-factor authentication, preferring an authenticator app or a passkey over SMS.
  • Sign out of all devices in each account's security settings, to kill any sessions an attacker is still riding.
  • Watch for follow-up scams. Criminals know what you use after a breach, so expect targeted phishing.

If the leak came from malware on your device, there's a crucial catch — covered below. The full individual playbook walks through identity protection, credit checks, and exactly who to report to (it's changed recently — see below).

If your organisation was breached

If you hold other people's personal data, a breach brings legal duties under UK GDPR. The headline one is the 72-hour rule: if a personal data breach is likely to result in a risk to people's rights and freedoms, you must notify the Information Commissioner's Office without undue delay, and no later than 72 hours after becoming aware of it.

Failing to notify when required can attract a fine of up to £8.7 million or 2% of global annual turnover — and the most serious breaches can reach £17.5 million or 4%.

You also have to tell affected individuals directly if the breach is likely to be high-risk to them, and you must record every breach — even the ones you decide not to report. The business playbook lays out the full sequence: contain, assess, report, notify, and document.

The thing most people get wrong

Two details trip people up again and again. First: if your credentials were stolen by malware, clean the device before you change any passwords — resetting a password from an infected machine just hands the attacker the new one. Second: attackers who steal your session cookies can stay logged in even after you change your password, and even past multi-factor authentication. That's why "sign out of all devices" matters as much as the new password.

One more practical change worth knowing: in England, Wales and Northern Ireland, fraud and cyber crime are now reported to Report Fraud (the City of London Police service that replaced Action Fraud in December 2025), online or on 0300 123 2040. In Scotland, it's Police Scotland on 101.

Read the full guide

This is the summary — the complete UK Data Breach Response guide covers every step in detail, with scenario-by-scenario playbooks, a prevention checklist, an FAQ, and direct links to every official UK reporting route. Bookmark it before you need it.

And if you'd rather find out you're exposed before an attacker does, that's exactly what we built DarkStrata for — start a free trial or check your domain against billions of stolen records.

Reading Progress
0% complete
Tags
data breachincident responseICOUKcredential theftcybersecurityguide
Share This Post