A leaked password is rarely a problem that stays with one website. Criminal groups test stolen email and password combinations against Microsoft 365, Google Workspace, banking portals, remote access systems, accounting platforms and supplier accounts. If one combination still works, they have a foothold. From there, mailbox fraud, data theft, ransomware and payment diversion can follow quickly.
Knowing how to check stolen credentials is therefore not about curiosity. It is an early-warning and containment task. For households, it can prevent account takeover. For small businesses, it can expose a route into systems that hold customer data, financial information and operational records.
What stolen credentials look like in practice
Credentials are usually exposed through a data breach at a third party, a phishing page, infostealer malware, password reuse or an attacker gaining access to an unmanaged device. The leaked material may include an email address and password, but it can also include session cookies, browser-saved passwords, multi-factor authentication tokens, recovery codes or answers to security questions.
The distinction matters. A historic breach containing an old password may need a password reset and review. Evidence of a recent infostealer infection is more serious: the attacker may have captured current passwords and active browser sessions, potentially bypassing a password change until those sessions are revoked.
Attackers do not need to target a North Devon business personally to cause harm. Credential lists are automated. A bot can attempt thousands of logins across popular services in minutes, looking for password reuse and weak authentication controls.
How to check stolen credentials safely
Start with the email addresses that matter most: business email, administrator accounts, accounts used for finance, cloud storage, social media and domain management. Use a reputable breach-notification service that allows an individual email address to be checked against known breach data. The result should tell you whether the address appeared in a known incident and, where available, the broad type of data exposed.
Do not enter your actual password into a breach checker, a search engine, a forum or a site promoted in an unsolicited email. A legitimate service may offer a method to check whether a password appears in a known leaked-password dataset without collecting the full password itself, but this should be treated as a supplementary control, not a reason to keep an exposed password.
For a business domain, use a verified domain-monitoring facility rather than searching random breach forums or buying leaked data. Domain verification proves that you control the organisation’s email domain and can provide alerts when addresses under that domain appear in newly identified breaches. It gives management useful visibility without handling stolen data that should never be downloaded or retained.
A breach result is not proof that a current account has been accessed. It is, however, evidence that an attacker may possess a combination worth testing. If the password was reused, guessed from a pattern, or has not been changed since the breach date, treat it as compromised.
Check for signs of active misuse
Breach intelligence should be paired with account and device investigation. Review sign-in history for unfamiliar locations, devices, applications and IP addresses. Look for repeated failed sign-ins, successful logins outside normal working hours, unexpected multi-factor prompts and password reset notifications that nobody requested.
In business email, investigate inbox rules and forwarding settings. A common business email compromise tactic is to create a hidden rule that forwards invoices, payment discussions or password-reset messages to an external address. Also check delegated mailbox access, connected third-party applications and recent changes to recovery email addresses or telephone numbers.
On Windows devices, unusual browser extensions, unknown remote-access software, new local administrator accounts and security alerts can indicate credential-stealing malware. If you suspect an infostealer, do not assume that changing one password from the same computer resolves the issue. The device needs forensic assessment and malware removal before it is trusted again.
What to do when credentials are exposed
Containment comes before lengthy investigation. Change the password from a known-clean device, starting with the email account attached to the exposed credential. Email is the reset point for many other services, so securing it first limits an attacker’s ability to reclaim access.
Use a unique, long password generated and stored by a reputable password manager. Avoid predictable variations such as adding a number or changing a final character. Criminals use automated password-spraying and credential-stuffing tools that account for those habits.
Then revoke active sessions, remove unknown devices, review recovery methods and disconnect unfamiliar third-party applications. Where a service offers it, force a sign-out across all devices. This is particularly important when browser cookies or session tokens may have been stolen.
Enable multi-factor authentication on every high-value account. An authenticator app or hardware security key generally offers stronger protection than text-message codes, although text messages remain preferable to password-only access. For administrator, finance and remote-access accounts, phishing-resistant authentication should be the aim where the platform supports it.
For a business, document which accounts were affected, when the exposure was identified, what was changed and whether suspicious access was found. This creates an audit trail and helps establish whether customer, employee or supplier information may have been accessed. If personal data could have been compromised, the incident may also require a formal assessment of reporting obligations.
Prioritise accounts by business impact
Not every exposed login carries the same risk. A forgotten shopping account may be inconvenient. A compromised Microsoft 365 administrator account can lead to email interception, new user creation, data theft and disruption across the organisation.
Prioritise in this order: primary email and identity accounts; administrator and remote-access accounts; banking, payroll and accounting platforms; cloud storage and customer systems; then lower-risk services. Also identify shared accounts. Shared logins remove accountability, make password changes disruptive and can allow access to persist after staff changes. Replace them with named user accounts wherever possible.
If an employee reports a breach involving a personal email address, do not dismiss it automatically. Many people reuse passwords between personal and work services. Handle the report without blame, establish whether any work password was reused, and reset relevant credentials promptly.
When a password reset is not enough
A reset alone is insufficient if there are signs of active intrusion, malware, unauthorised payment requests, mailbox forwarding, altered bank details or suspicious administrator activity. These indicators require incident response, because the question is no longer whether credentials were exposed. It is what the attacker did with them.
At that stage, preserve evidence before making broad changes where possible. Record alert details, suspicious email headers, sign-in events, affected devices and times. Avoid deleting messages or wiping devices until the scope is understood. A rushed clean-up can remove the evidence needed to identify persistence, fraud attempts or data access.
Build a routine, not a one-off check
Checking breach exposure once is useful, but credentials are traded and re-packaged continuously. Small organisations should review domain breach alerts, privileged-account activity and failed sign-in patterns regularly. The frequency depends on risk: a firm handling payments, sensitive client records or remote access needs closer monitoring than a low-risk local service with limited online systems.
The strongest practical defence is a combination of unique passwords, a password manager, multi-factor authentication, prompt patching, endpoint protection and staff who report suspicious prompts or emails quickly. These controls reduce the value of a stolen password and improve the chance of detecting misuse before it becomes a disruptive incident.
A credential alert should create calm urgency, not panic. Verify the exposure, secure the affected identity from a clean device, revoke access that may already be active, and investigate any sign that an attacker moved beyond the login screen.