What to Do if Your Credentials Are Stolen

Editor’s note: If you believe you just actively gave away your password, stop reading and call your IT provider immediately. The faster you react to a fire, the less time it has to burn out of control.

Stolen usernames and passwords are scary. Unfortunately, it’s an inevitability in this day and age.

Multifactor authentication (MFA) is a great way to protect your accounts, as they are 99.9% less likely to be compromised when MFA is enabled, according to Microsoft.

Receiving an unexpected MFA prompt is a big red flag and should not be dismissed. It likely means your credentials have been stolen and someone is trying to access your account.

You might also receive an unexpected email or a notification warning you of an unrecognized device trying to access your account.

If you do suspect your credentials were stolen, there are steps you can take to prevent or minimize any damage to you or your organization.

Take Immediate Action

It’s important not to panic, but you should take immediate action if you believe your credentials have been stolen. Doing so could be the difference between no damage and catastrophic damage to you and your organization.

1. Change Your Password Immediately

If you receive an unprompted MFA request, whether it’s through an app or a one-time code, decline it or ignore it and immediately change your password. There’s a good chance someone is trying to access your account, and the first thing they will attempt to do is change your password so you are locked out.

• Action Step: Go directly to the website yourself (without clicking any links within the prompt itself) and change your password. You’ll want to create a strong password that is easy to remember but hard for an attacker or computer to guess.
• Broader Impact: If it’s a password you have used for other accounts, immediately change those passwords, as well. Once they’ve stolen your credentials, attackers will try to use that username and password combination on as many sites as they can. This is exactly why you shouldn’t be using the same password on multiple accounts.
• Reminder: It’s good you implemented MFA and had your account protected, but it doesn’t mean you don’t have to change your password. Don’t succumb to this false sense of security, as attackers have been able to bypass MFA before, so don’t allow them to do so now.

2. Change MFA Method if Possible

While text message and email MFA prompts provide extra protection to your accounts, they are the riskiest methods to use. If someone gains access to your email or phone number, then they’ll also have access to your one-time passcodes. This would allow them to reset your password.

• Action Step: If a site offers support for authentication apps, hardware security keys or passkeys, use one of these options, as they’ll require attackers to have access to your device to pass the multifactor authentication challenge.
• Reminder: Any sort of MFA is better than no MFA, so if text or email is the only option, you should still utilize it.

Additional Resources

• Creating Strong Passwords: For tips on how to create strong passwords, click here.
• Recognizing Phishing Scams: For a guide on recognizing phishing attempts, click here.
• Using Password Managers: Explore how password managers can enhance your security here.
• Setting Up and Using Multifactor Authentication: For a guide on setting up and using MFA to enhance your account security, click here.

Keep Your Credentials and Information Secure

Need help finding the right solution to protect your network and data? Contact us here to see how we can help keep your business running smoothly while increasing productivity, security and profitability.

Did you like this blog? You can subscribe to our newsletter to receive a weekly email with our latest blog posts.