You just learned that company credentials appeared in a breach. The goal now is simple: assume the password is compromised and move faster than whoever else has it. Here's a calm, repeatable playbook.
1. Contain the affected account
Force a password reset immediately and invalidate active sessions and tokens. A reset alone does nothing if an attacker already holds a live session — revoke them too.
2. Verify whether it was already used
Review authentication logs around and after the exposure date. Look for logins from unfamiliar locations, datacenter IPs, new devices, or impossible travel. Treat any anomaly as a confirmed incident until proven otherwise.
3. Contain the blast radius
People reuse passwords. If this credential was reused on other internal systems, rotate those too. Check whether the same identity has access to email, VPN, cloud consoles, or admin panels — and prioritize the highest-privilege accounts.
4. Strengthen the account
- Confirm multi-factor authentication is enabled and bound to a device the user controls.
- Move the user to a password manager so the new password is unique and never reused.
- For privileged accounts, consider phishing-resistant MFA (hardware keys or passkeys).
5. Document and learn
Record what leaked, when you detected it, what you did, and how long it took. Two metrics matter most: time-to-detection and time-to-containment. Shrinking both is the whole game.
Make it routine, not heroic
The organizations that handle this well aren't lucky — they've rehearsed it. Wire your leaked-credential alerts into the same workflow your team already uses for incidents (a webhook into your SIEM/SOAR works well), so response is a checklist, not a fire drill.
Leicbit Team
Cybersecurity experts dedicated to protecting organizations from credential theft and data breaches.