Come faccio a sapere se una password è stata rubata?

Puoi ricevere un avviso dal browser, dal gestore password o dal servizio che usi. Altri segnali sono accessi sospetti, codici di verifica non richiesti, email di sicurezza insolite o modifiche all’account che non hai fatto tu.

Cosa devo fare per prima cosa se una password è stata rubata?

Devi cambiarla subito dal sito o dall’app ufficiale del servizio. Non usare link ricevuti via email o messaggio. Dopo il cambio, controlla accessi recenti, dispositivi collegati e metodi di recupero.

Basta eliminare la password salvata dal browser?

No. Eliminare una password salvata dal browser o dallo smartphone rimuove solo la credenziale memorizzata. Se la password è stata rubata, devi cambiarla davvero nell’account collegato.

Devo cambiare anche le password degli altri account?

Sì, se hai usato la stessa password o una password molto simile su altri servizi. Il riutilizzo delle password è uno dei principali motivi per cui una singola violazione può mettere a rischio più account.

È utile attivare l’autenticazione a due fattori?

Sì. L’autenticazione a due fattori aggiunge un secondo passaggio oltre alla password e rende più difficile l’accesso non autorizzato, anche se qualcuno conosce la tua password.

Cosa faccio se non riesco più ad accedere all’account?

Usa la procedura ufficiale di recupero account del servizio. Evita link sospetti, prepara i dati necessari per dimostrare che l’account è tuo e controlla anche email, telefono e dispositivi collegati.

Una passkey è più sicura di una password?

In molti casi sì, perché non si basa su una password tradizionale da digitare e riutilizzare. Le passkey riducono il rischio di phishing, ma richiedono comunque dispositivi protetti e metodi di recupero ben configurati.

Quando devo avvisare la banca?

Devi avvisare la banca o il servizio di pagamento se noti movimenti sospetti, se l’account compromesso aveva carte salvate o se pensi di aver inserito dati bancari in una pagina falsa.

Stolen password: what to do immediately to protect your accounts

Discovering that a password may have been stolen is a situation not to be underestimated. Sometimes we realize it because we receive a warning from the browser, the password manager, or the service we use. Other times the suspicion arises from an unusual login, a security email, a password recovery message we did not request, or strange activity on an account. The most important thing is not to panic, but to act methodically. A compromised password does not automatically mean all your accounts have been hacked, but it can become a serious problem if the same password has been used on multiple services.

In this guide, we look at what to do if a password has been stolen, which checks to carry out immediately, how to change credentials correctly, and which settings to enable to better protect email, social networks, cloud services, banking apps, and personal accounts. Important note: if a password has been stolen, simply deleting it from the browser or phone is not enough. You need to change it on the website or app of the affected service and check if anyone has already accessed your account.

Summary

How to tell if a password has been stolen

A stolen password is not always used immediately. In many cases, credentials end up in databases stolen during data breaches, are sold online, or are used automatically to try to access other services. There are some signs that should make you act quickly:

you receive a warning that the password is compromised;
the browser or password manager flags a stolen or reused password;
you receive verification codes you did not request;
emails arrive from logins on devices or locations you do not recognize;
someone tries to reset the password of one of your accounts;
you notice messages sent from your profile without your intervention;
you find changes to email, phone number, username, or security settings;
a service notifies you that it has suffered a data breach.

In all these cases, it is advisable to act immediately, starting with the most important account: usually the primary email. If a malicious actor gains access to your mailbox, they can try to recover passwords for many other linked services.

What to do immediately if a password has been stolen

When you suspect a password has been stolen, the first thing to do is change that password on the official website of the service. Do not use links received via email or message, especially if the tone is urgent or threatening. Open the site directly by typing the address into the browser or use the official app. The correct procedure is:

open the official website or app of the service;
log into your account, if you can still access it;
go to security settings;
change the password immediately;
choose a new password, long and different from all the others;
save the new password securely;
enable two-factor authentication, if available;
check connected devices, active sessions, and recent activity.

If you can no longer access your account, use the official account recovery procedure. Again, avoid suspicious links and always start from the official page of the service.

Rule of thumb: if the stolen password was also used on other accounts, you must change it everywhere. Changing it only on the site that reported the problem is not enough.

Change the password of the main email first

The primary email is often the center of your digital identity. It is used to receive verification codes, access confirmations, password recovery links, invoices, documents, bank communications, and notifications from social networks. For this reason, if you suspect a compromise, you should prioritize your most important email inbox. Check immediately:

if the email password is unique and not used elsewhere;
if there have been recent accesses from unknown devices;
if automatic forwarding rules have been created;
if there are strange filters that move or hide messages;
if the recovery email and phone number are still yours;
if two-factor authentication is active.

An attacker who gains access to your email can look for messages containing personal data, old passwords, documents, receipts, tax data, or references to services you use. They may also try to reset the passwords of other linked accounts.

Use a new password different from all others

When you change a stolen password, don’t make small variations of the old one. Changing a letter, adding a number, or putting a symbol at the end is not a secure solution. If the previous password was known, similar variants can also be easy to guess. A good password should be:

long;
unique for that account;
not connected to your name, birth date, or other personal information;
not reused on other sites;
hard to guess even for people who know you.

You can use a password manager to generate and store complex credentials. It’s much better to have long, different passwords saved securely rather than using the same simple password on many accounts.

If you want to first check or remove the credentials stored on your devices, also read the guide on how to delete saved passwords from Chrome, Android, and iPhone.

Check if the same password has been used elsewhere

The biggest risk is not always the single stolen password, but the reuse of the same password on multiple accounts. This is because many automated attacks try pairs of emails and passwords already stolen from other sites. For example, if you use the same email and password combination on an old forum, a social network, and an email service, a breach of the old forum could also put the other accounts at risk. So do a mental and practical check:

where have you used the same password?
which accounts have the same login email?
which services contain personal data or payments?
which accounts allow recovery of other accounts?
which passwords are similar to the stolen one?

Start with the most sensitive accounts: email, home banking, payment services, social networks, cloud, e-commerce, Apple account, Google account, work tools, and services with personal data.

Enable two-factor authentication

Two-factor authentication adds a second step beyond the password. It can be a code generated by an app, a notification on the phone, a physical security key, a code received via SMS, or another method provided by the service. It is an important protection because it makes access more difficult even if someone knows the password. It is not an absolute guarantee but greatly reduces the risk of unauthorized access. When you can choose, prefer:

authentication apps;
passkeys;
physical security keys;
confirmation notifications on a trusted device.

SMS are better than nothing, but they can be less secure compared to other methods. In any case, enabling a second factor is almost always a better choice than using just a password.

To remember: after activating two-factor authentication, also save the recovery codes in a safe place. They are needed if you lose your phone or cannot use the main verification method.

Log out from all connected devices

After changing a compromised password, check the active sessions. Many services allow you to see from which devices, browsers, or apps the access was made. Look for entries such as:

connected devices;
active sessions;
recent logins;
security activity;
where you logged in;
manage devices.

If you find a device you do not recognize, disconnect it. If the service offers the option Log out from all devices, use it after changing your password. This way, any sessions open by other people are terminated. This step is especially important for email, social networks, Google Account, Apple Account, cloud services, work platforms, and payment-linked apps.

Check email, phone number and recovery methods

When someone manages to access an account, they might modify the recovery data to maintain access even after the password change. For this reason, you have to verify that the email, phone number, and recovery methods are still correct. Check:

primary email;
secondary email;
phone number;
trusted devices;
linked authentication apps;
security keys;
backup codes;
security questions, if still present.

If you find a piece of information you do not recognize, remove it immediately. Then change your password again, because the account might have already been tampered with.

Check connected apps and permissions

Many accounts allow apps, extensions or external services to access data. It is convenient but can become a risk if over time you have authorized tools you no longer use or do not recognize. After a possible compromise, go to the section dedicated to connected apps and remove everything that is not necessary. Pay particular attention to:

third-party apps linked to the account;
browser extensions;
services that have access to email, calendar, files, or contacts;
old or no longer used integrations;
apps installed outside official stores;
tools that require overly broad permissions.

If you think the problem originated from an attachment or a suspicious download, the guide on how to find out if a file is dangerous before opening it.

Check the device: there might be malware

A password can be stolen in many ways: website breach, phishing, malware, malicious extensions, unreliable apps, compromised Wi-Fi network, or fake pages imitating known services. If the password was stolen after installing something, opening an attachment, or clicking a suspicious link, don’t just change the password. Also check the device.

You can do the following steps:

update the operating system, browser, and apps;
remove programs or apps you don’t recognize;
uninstall unnecessary or suspicious browser extensions;
run a scan with a trustworthy security software;
check if the browser opens strange pages or shows suspicious notifications;
avoid changing passwords from a device you think might be infected.

If you have a serious suspicion, change the most important passwords from a different, reliable device. Changing them from a compromised computer could immediately expose the new credentials too.

Beware of fake data breach emails

After a real or suspected breach, scam emails may arrive pretending to notify you of a security issue. The message may invite you to click a link, download a file, or enter your password to “verify” the account. These messages often use urgent phrases, logos similar to the originals, and alarmist tones. The advice is simple: don’t click on links contained in the email. Go directly to the official site or open the official service app.

Be careful if the message:

asks you to enter the password on a page reached via a link;
contains strange errors or a domain similar but not identical to the official one;
threatens immediate account closure;
asks for verification codes or banking data;
invites you to download attachments;
comes from a sender that does not match the real service.

A useful rule is this: passwords are not communicated via email, chat, or phone. If someone asks you for it, it is almost certainly a scam attempt.

What to do if you can no longer access

If the password has been changed by someone else and you can no longer access the account, you must use the official recovery procedure. Each service has a different process, but usually it will ask you to confirm your identity via email, phone number, recognized device, or documents. In this situation:

do not immediately create a new account if you can recover the old one;
use only the official recovery page;
also check the spam or junk mail folder;
prepare useful data to prove the account is yours;
notify your contacts if the account has been used to send suspicious messages;
if there are linked payments, check transactions and payment methods.

If the compromised account is related to work, payments, documents, or sensitive data, also consider contacting the service support and, in more serious cases, the bank or the competent authorities.

When to notify the bank, contacts, or support

Not all stolen passwords have the same risk level. If the password concerned an old forum or a secondary account, changing it and checking for any reuse may be enough. However, if it concerns email, bank, social media, or professional services, greater attention is needed. Notify the bank or payment service if:

you notice transactions you do not recognize;
the stolen password was linked to an account with saved cards;
you receive notifications of suspicious payments;
your account has been used to make purchases;
you entered banking data on a suspicious page.

Notify your contacts if:

strange messages were sent from your profile;
someone is using your name to ask for money or codes;
the social account was used to post content not created by you;
phishing emails were sent from your mailbox.

It can be embarrassing, but it’s better to notify immediately. This way, you reduce the risk that others fall for the scam by trusting your name.

How to prevent the problem in the future

You cannot control every data breach that happens online, but you can greatly reduce the risks by following some good practices.

use a different password for each account;
enable two-factor authentication on the most important services;
use a reliable password manager;
avoid saving passwords on shared devices;
keep operating system, browser, and apps updated;
do not install unnecessary or unknown extensions;
do not click suspicious links received via email, SMS, or chat;
periodically check connected devices and recent logins;
remove accounts you no longer use;
prefer passkeys when the service supports them.

Before taking action, it may be useful to check which credentials are still stored in the browser or on the smartphone: in this guide we explain how to see saved passwords on Chrome, Android, and iPhone.

Stolen Password and Passkey: What’s the Difference

Passkeys are an access system different from traditional passwords. Instead of typing a password, you confirm access with your device, face, fingerprint, or an unlock code. This reduces the risk of phishing because there is no classic password to copy and reuse. Not all services support passkeys yet, but when available, they can be a good choice, especially for more important accounts. Even in this case, however, you must protect your device well, keep recovery methods active, and know what to do if you lose your phone or computer. Passkeys don’t eliminate every risk, but they reduce one of the most common problems: reusing the same password across multiple sites.

Mistakes to Avoid After a Password Is Stolen

After a possible compromise, some instinctive reactions can worsen the situation. Here are the most common mistakes to avoid.

Changing only one password: if the same credential was used elsewhere, you must change it on the other accounts too.
Using a similar variant: adding a number or symbol to the old password is not enough.
Clicking links received via email: always go to the official website or the official app.
Forgetting the main email: it is often the most important account to protect.
Not checking connected devices: someone might still have an open session.
Not verifying apps and permissions: a connected app can continue to access data.
Changing password from a suspicious device: if the device is infected, the new password can also be stolen.

In summary

If a password has been stolen, you need to act immediately but methodically. Change the password from the official site, choose a new and unique credential, check if the same password was used elsewhere, and enable two-factor authentication. Immediately after, verify recent accesses, connected devices, recovery methods, authorized apps, and possible suspicious activities. If the account concerns email, bank, payments, or sensitive data, give top priority to protection and don’t wait.

The most important rule is simple: a stolen password must never remain valid and must never be used on multiple accounts. The more unique your passwords are, the harder it is for a single problem to turn into a larger breach.

Frequently Asked Questions

How can I tell if a password has been stolen?

You can receive a warning from your browser, password manager, or the service you use. Other signals include suspicious logins, unsolicited verification codes, unusual security emails, or account changes you did not make.

What should I do first if a password has been stolen?

You must change it immediately on the official site or app of the service. Do not use links received via email or message. After changing it, check recent accesses, connected devices, and recovery methods.

Is it enough to delete the saved password from the browser?

No. Deleting a saved password from the browser or smartphone only removes the stored credential. If the password has been stolen, you need to actually change it in the connected account.

Do I need to change the passwords of other accounts as well?

Yes, if you used the same or a very similar password on other services. Password reuse is one of the main reasons a single breach can put multiple accounts at risk.

Is it useful to enable two-factor authentication?

Yes. Two-factor authentication adds a second step beyond the password and makes unauthorized access more difficult, even if someone knows your password.

What do I do if I can no longer access the account?

Use the official account recovery procedure of the service. Avoid suspicious links, prepare the necessary data to prove the account is yours, and also check your email, phone, and connected devices.

Is a passkey more secure than a password?

In many cases, yes, because it does not rely on a traditional password to type and reuse. Passkeys reduce the risk of phishing but still require protected devices and well-configured recovery methods.

When should I notify the bank?

You should notify the bank or payment service if you notice suspicious transactions, if the compromised account had saved cards, or if you think you entered banking details on a fake page.