What started out as a medical data breach affecting 10.5 million customers has grown into a much bigger attack that may have compromised the private data of up to 25 million people across the US, including 15 million in Texas alone. An unauthorized third party accessed the systems of business services provider Conduent from Oct. 21, 2024, until the breach was discovered on Jan. 13, 2025.
A ransomware group known as SafePlay said it was responsible for the breach, which exposed private data including full legal names, addresses, Social Security numbers, health insurance details and medical information, all of which could be used to commit identify theft.
Conduent isn’t the only organization leaking private data to bad actors. Check Point researcher reported a year-over-year credential theft surge of roughly 160% in 2025, with attackers increasingly using stolen logins to slip into accounts unnoticed. Even if attackers don’t strike immediately, an exposed email address or password can be enough for them to start probing other services you use weeks or months later.
If your information was exposed in a breach, you don’t need to panic. But you should act, starting with your most important accounts. Here’s how to lock down your accounts and reduce the risk of further damage.
Start with your email account
Your email is pretty much the master key to everything else you use online. If someone gains access to your personal or work email, they can possibly reset passwords for banking apps, social media, health services, cloud storage and more, without ever knowing your original credentials. All it takes is «reset password» and they can get in.
If you believe the password to your email is out there somewhere, change it using a long, unique password you haven’t used anywhere else. That’s a major theme in this story — please don’t reuse passwords.
If your email provider supports it (most do), turn on two-factor authentication, ideally using an authenticator app, push notifications or even a hardware security key. SMS is the most popular option, but it’s also the least secure of the bunch. SMS messages can be intercepted and attackers can sometimes take control of a phone number through a technique known as SIM swapping. Because authenticator apps generate codes directly on your device, you avoid these risks.
Also review recent sign-in activity and security settings. Many email services show where and when your account was last accessed. If anything looks unfamiliar, sign out of all sessions and revoke access to connected apps you no longer recognize.
Change exposed passwords, as well as reused ones
Next, update the password for any of your accounts that have been directly affected by the breach, outside of your email account. If you reused any exposed passwords elsewhere, those accounts need to be changed, too. This is one of the most common ways attackers escalate a breach into something bigger.
Attackers take leaked email and password combinations and automatically test them across hundreds of popular services because many people reuse passwords.
Each of your accounts should have its own unique password. Ideally, a long, random string like v8$Qm!2ZrP9@kLwX, with at least 14 characters. You can also go with an Apple-style password, like ajwQ7-alxup-haytz, which is 20 characters (16 lowercase letters, one uppercase letter, one digit and two hyphens).
Yes, they might be a pain to deal with, but long, randomly generated passwords are far harder to crack and keep a single leak from unlocking multiple services. If you don’t want to remember each password, go with a password manager that can generate and store them for you so you don’t have to remember any of them (minus your master password). Your phone also comes with a free, built-in password manager: iCloud Keychain for iOS and Google Password Manager for Android.
If an account offers passkeys, consider enabling them. Passkeys replace traditional passwords with device-based authentication and can’t be phished or reused if a service is breached.
Turn on two-factor authentication wherever possible
Two-factor authentication, or 2FA, adds a second layer of protection by requiring something like a temporary code or biometric scan, in addition to your password.
Enable 2FA on any account that supports it, especially those that have a good amount of your personal data, beyond your name and birthdate. App-based authenticators and hardware keys are more secure than text messages, but any form of 2FA is better than none.
Once it’s turned on, save your recovery codes in a secure place. These are often the only way to regain access if you lose your phone or security key.
Check for suspicious activity
After securing your credentials, look for signs that someone may have already accessed your accounts. Review recent logins and transaction histories.
Watch for unexpected password reset emails, new forwarding rules in your email account or changes to profile details you didn’t make. For financial accounts, review recent purchases and enable transaction alerts if they’re available.
If you find evidence of unauthorized access, contact the service immediately and follow its account recovery process.
Remove access you no longer need
Over time, many accounts accumulate third-party app connections, browser extensions and old devices that still have access. These can become weak points after a breach.
Review connected apps and devices and remove anything you no longer use or recognize. Logging out of all active sessions can also force an attacker out if they’re still signed in.
Keep an eye on your accounts going forward
Even after you’ve locked everything down, it’s worth staying alert. Some attackers sit on stolen data and try it months later, hoping users have relaxed.
Consider signing up for breach alerts through a password manager or identity monitoring service. Enable security notifications where possible so you’re alerted to new logins or changes as they happen.
A data breach is frustrating, but it doesn’t have to turn into identity theft or financial loss. A few focused steps — starting with your email, tightening passwords and adding extra security — can go a long way toward keeping your accounts safe when the next breach occurs…because it definitely will.