The Simple Incident Playbook for Leaked Passwords

Why speed and sequence matter

When a password leaks, minutes matter. The goal is to contain first, then recover safely, then learn so it doesn’t happen again. This playbook gives you a lightweight, repeatable flow that works for individuals, families, and small teams.

15 minutes: contain the damage

• Revoke active sessions: Sign out of all devices/sessions for the affected account (most services let you do this from the security settings).
• Invalidate tokens: If the service supports it, revoke API tokens, app passwords, and remembered devices.
• Turn on/confirm MFA: Ensure multi-factor authentication is enabled. Prefer authenticator apps or security keys over SMS.
• Freeze risky automations: Temporarily disable webhooks, third-party integrations, or automations that use the compromised account.

60 minutes: rotate and reset safely

• Change the password to a strong, unique one (generated by your password manager). Avoid reusing any old pattern.
• Rotate shared credentials: If others used the same login (not ideal), rotate and re-share safely using a one-time, self-destructing link with short expiry and a separate access code. Guide here: The Safe Way to Share Passwords in 2025 (No Email).
• Update dependent secrets: If that password gates other keys (e.g., app passwords, IMAP/SMTP, CLI tokens), regenerate those too.
• Check recovery options: Confirm recovery emails/phones are yours and secure.

Same day: verify no one got in

• Audit sign-ins: Review recent logins, new devices, unusual IPs, and geographies.
• Look for changes: Check mailbox rules/filters, forwarding, 2FA methods added, account profile edits, and security settings.
• Check data access: For storage apps, scan recently opened/shared files and new share links.
• Scan transactions: For commerce or ads platforms, review billing changes, new campaigns, or purchases.

If harm is possible, notify early

• Internal: Tell teammates or family members who depend on the account so they can watch for suspicious activity.
• External: If clients or guests might be affected, send a short, factual notice with what you’ve done and what they should do next (e.g., reset, verify invoices).
• Vendors: If compromise involved an integration, alert the provider and ask how to invalidate tokens/refresh secrets.

Root cause: fix the “why,” not just the “what”

• Accidental exposure: Was the password pasted in email or chat? Move to one-time links and short expiry. Compare methods here: One-Time Links vs. Encrypted Email: What’s Safer in 2025?.
• Weak/reused credentials: Replace with unique manager-generated passwords. Learn better memorables here: How to Create Strong Passphrases You’ll Actually Remember.
• Phishing/social engineering: Train on link verification habits. See: Stop Phishing at the Source: Verify Links Like a Pro.
• Device compromise: Check for malware, patch OS/browsers, and reset sync’d sessions.

Print-friendly checklist (copy/paste)

• [ ] Revoke sessions & tokens
• [ ] Enable/confirm MFA
• [ ] Change password to a unique, manager-generated one
• [ ] Regenerate app passwords / API keys
• [ ] Audit logins, devices, IPs, geos
• [ ] Check rules/forwarding, recovery options, profile changes
• [ ] Review data/file shares and recent activity
• [ ] Notify stakeholders if needed
• [ ] Document root cause and fixes
• [ ] Schedule follow-up rotation and review

Special cases (don’t skip)

• Email accounts: After reset, purge suspicious forwarding rules and app passwords. Re-issue app passwords for mail clients.
• Cloud storage: Recheck recent file shares; revoke public links you didn’t intend; rotate sharing tokens.
• Financial/ad platforms: Lock billing, confirm spend alerts, and enable approvals for high-value actions.
• Developer keys: Rotate API keys, environment variables, and CI/CD secrets. Invalidate personal access tokens and re-issue with least privilege.

Timeline template (keep it simple)

• T0: Leak discovered (how/where).
• +15 min: Sessions/tokens revoked; MFA verified.
• +60 min: Password changed; dependent secrets rotated.
• +6 h: Logs reviewed; anomalies investigated; stakeholders notified.
• +24 h: Root cause documented; preventive measures in place; follow-up tasks scheduled.

How to re-share credentials safely after rotation

When you must give the new password to someone else, avoid repeating the same mistake.

• Use a one-time, self-destructing note with short expiry.
• Split channels: Send the link by email/chat, and the access code by call/SMS.
• Verify identity: A 30-second call prevents misdelivery to impostors.

New to zero-knowledge sharing? Read the primer: The Beginner’s Guide to Zero-Knowledge Sharing.

Prevent it from happening again

• Password manager everywhere: Unique, long passwords by default.
• MFA by default: Especially for email, password manager, and cloud accounts.
• No secrets in threads: Deliver via one-time links; store in the manager.
• Regular rotation: Especially for shared/team credentials and guest Wi-Fi. Tips here: How to Share Wi-Fi Credentials Securely with Guests.
• Phishing hygiene: Train people to verify links and senders. (Guide coming soon.)

FAQ

Should I delete suspicious emails or files?
Preserve evidence until you finish your review, then clean up. Don’t destroy useful audit trails too early.

What if the attacker enabled their own 2FA method?
Use account recovery to remove unknown authenticators, then relock with your own.

Do I need to reset every account?
Focus on the compromised account and any linked accounts that reused the password (then stop reusing).

Bottom line

Contain fast, rotate thoroughly, verify access, notify when needed, and fix the root cause. Turn a leak into a one-time lesson—and make the next incident much less likely.

Secure One-Time Messages - Send confidential messages that self-destruct after being read once. Your privacy is our priority. →.