You get the notification: your email address has been found in a data breach. Maybe it came from a service you’ve never heard of. Maybe from one you trusted. Either way, the instinct is the same—how do I fix this?
The uncomfortable truth is that you can’t, not really. A data breach is a permanent event in the history of your digital identity. You can mitigate the damage, you can prevent the breach from being used against you, but you can’t undo it. Understanding why matters, because most advice about breaches misses this point and leaves people with a false sense of security.
This guide explains what actually happens when your email is in a breach, what to do about it, and—just as importantly—what doesn’t actually help.
What a Data Breach Actually Is
When a company is breached, a copy of their database (or part of it) ends up in the hands of someone outside the company. From that moment, the data is out of anyone’s control.
The data typically includes some combination of:
- Email addresses
- Usernames
- Passwords (often hashed, sometimes in clear text)
- Personal information (names, addresses, phone numbers)
- Behavioral data (forum posts, private messages, purchase history)
Once a breach happens, the data starts circulating. It gets shared on forums, sold on marketplaces, indexed by services like Have I Been Pwned, and eventually folded into “combo lists” used for credential-stuffing attacks against other services.
The key point: there is no version of events where this data is removed from circulation. Copies exist on machines you can’t reach, in archives you can’t audit, in the hands of people who have no incentive to delete anything.
Why Changing Your Password Doesn’t “Fix” a Breach
This is the part most breach advice gets wrong.
If you appear in a breach and change your password on the affected service, you’ve done something important: you’ve prevented attackers from using the leaked password to access that account. If you reused that password on other services—which most people do—and you change it everywhere, you’ve closed off the most common attack path that follows a breach.
But that’s the limit of what a password change does.
What changing your password does:
- Stops attackers from logging into the breached account with the leaked credentials.
- Resets your exposure on other services where you used the same password (only if you change it there too).
- Reduces the value of the leaked credentials to attackers running credential-stuffing tools.
What changing your password doesn’t do:
- Remove your email address from the breach dump. That data is out there forever.
- Stop attackers from using your email as a target for phishing. They know you have an account—on the breached service, possibly elsewhere—and they can use that knowledge to craft convincing approaches.
- Prevent your address from being included in future combo lists, spam targeting, or social engineering attempts.
- Undo the disclosure of any other personal data exposed in the breach (your real name, address, message history, etc.).
This is why thinking of a breach as something you “fix” is misleading. A breach is a permanent change in the public information available about you. Your defenses against that change can be improved, but the change itself is final.
The Real Threats After a Breach
Most people focus on the wrong risk after a breach. They worry about someone logging into the breached account. By the time you find out about a breach, the attackers have usually already done whatever they were going to do with the credentials—either it worked or it didn’t.
The longer-term risks are different and more interesting.
Targeted phishing. Once attackers know your email is real, used by a real person, and associated with specific services, you become a higher-value target. Generic phishing relies on volume; targeted phishing uses context to seem legitimate. “Hello, this is [breached service]. We’ve detected suspicious activity…” is harder to dismiss when you actually have an account on that service.
Credential stuffing. Attackers feed leaked email/password combinations into automated tools that try them against hundreds of other services. If you reused that password anywhere, those accounts are now exposed. This is why password reuse is the single most common cause of “second-order” breaches.
Account enumeration. Knowing your email is associated with a particular service helps attackers map out your digital footprint. A breach of a niche forum reveals interests; a breach of a financial service reveals economic exposure; a breach of a dating site reveals personal information that can be used for blackmail or social engineering.
Lawful access requests, real and fake. Once an address is publicly associated with breached or otherwise notable data, it can attract scrutiny—legitimate from law enforcement, fraudulent from attackers impersonating law enforcement. Documented cases exist of attackers compromising or spoofing government email accounts to send “emergency data requests” to service providers. A privacy-focused service knowing that a particular address has elevated risk can apply additional verification to such requests.
What to Actually Do When You Find Out
The right response depends on what was exposed, but the general playbook is:
Change the password on the breached service. Use a long, unique, randomly generated password. A password manager makes this trivial.
Change the password everywhere you reused it. This is the action that prevents most real damage. If the same password was used on a streaming service, a forum, and your bank, all three are now exposed.
Enable two-factor authentication. Especially TOTP-based (authenticator app) rather than SMS, which is vulnerable to SIM-swapping. 2FA means that even if a password is leaked or guessed, an attacker still needs a second factor to get in.
Watch for phishing attempts referencing the breach. Attackers often follow up breaches with phishing emails impersonating the breached service. Treat any unexpected message from a service you have an account on with suspicion—especially if it asks you to “verify your account” or “click here to secure your account.”
Don’t expect the breach to disappear. If a service tells you the issue is “resolved,” they mean from their side. Your data is still out there.
Consider whether the exposed data has wider implications. If your real name, address, or other identifying data was exposed, think about what that enables. Identity theft, doxxing, and social engineering all become easier when more pieces of your real-world identity are public.
How Onion Mail Approaches Breach Monitoring
Onion Mail includes a built-in breach monitoring widget in your inbox dashboard. The system works like this:
- When you first log in to your account, your address is checked against the Have I Been Pwned database through our internal API.
- After that, your address is rechecked every 7 days by a background job.
- If your address appears in any known breach, you’ll see it in your dashboard, with details: which breach, when it happened, what kind of data was exposed, and a direct link to change your Onion Mail password.
Two design choices are worth explaining, because they reflect how we think about privacy:
Your address is never shared directly with third parties. The check against Have I Been Pwned goes through our own server. HIBP sees requests from Onion Mail, not from individual users. Your email address is not exposed to a third party as part of the monitoring.
Breach status doesn’t disappear when you change your password. This is a deliberate decision and one of the more important ones. Some breach monitoring services mark a breach as “resolved” once you’ve taken an action. We don’t, because the breach itself isn’t resolved—it’s a permanent historical event. Changing your password addresses one consequence; it doesn’t undo the breach. Keeping the status visible reminds you that the address remains in known breach databases, which affects how cautious you should be about phishing and how seriously you should take any unusual access attempts.
The widget sits alongside the other privacy controls in your dashboard—two-factor authentication status, PGP encryption status, Tox-based recovery setup, and others—so you can see the security state of your account at a glance.
Beyond Monitoring: Reducing Your Breach Surface
Monitoring is reactive. The proactive part is reducing how exposed you are in the first place. Some practical habits:
Use a unique email address for each service when it matters. Many privacy-focused email providers, including Onion Mail, support address aliases or plus-addressing. When one alias appears in a breach, you know exactly which service was the source, and you can disable that alias without affecting anything else.
Don’t give services more data than they need. Phone numbers, real names, dates of birth—if a service doesn’t actually need it, don’t provide it. Each piece of personal data you give out is a piece that can be exposed.
Treat your primary email address as part of your identity. If you use it everywhere, every breach is a breach against you. Compartmentalizing—separating an everyday address from one used for sensitive accounts—limits the blast radius.
Use a password manager. Reused passwords are the single biggest reason breaches escalate. A password manager makes unique passwords practical.
Be skeptical of breach “remediation” services. Some paid services promise to “remove your data” from the internet after a breach. They can’t, not really. Reputable breach monitoring is useful; promises of erasure are usually overstated.
The Honest View
A data breach is not a problem you solve. It’s a fact you incorporate into how you think about your digital identity going forward. The address that appeared in a breach is now an address with public history. That doesn’t make it dangerous to use—plenty of perfectly normal people have addresses in dozens of breaches—but it does change what kind of vigilance makes sense.
The goal isn’t to never appear in a breach. Given how many services exist and how often they’re compromised, that’s not realistic for anyone with an active digital life. The goal is to make sure that when a breach happens, it doesn’t escalate: that the exposed credentials don’t unlock other accounts, that the leaked data doesn’t enable successful phishing, that you know the situation and can act accordingly.
If you’d like that monitoring built into your inbox—along with anonymous registration, automatic PGP encryption, and native Tor access—Onion Mail offers it as part of every account. Visit onionmail.org to learn more.
Whatever provider you choose, the principle is the same: assume breaches will happen, design your defenses so that each one stays contained, and pay attention to the ones that do.