You've just discovered that employee credentials have been exposed in a data breach. The clock is ticking. Attackers may already be attempting to use these credentials against your systems. Here's your step-by-step incident response playbook.
Immediate Actions (First Hour)
Immediately force password resets for all affected accounts. Don't wait for employees to do it themselves.
Check authentication logs for unusual access patterns, unfamiliar IPs, or off-hours logins.
Force logout from all devices for affected accounts to invalidate any stolen session tokens.
Short-Term Actions (24-72 Hours)
Employee Communication Template
Subject: Action Required: Password Reset Due to External Breach
Dear [Employee],
Your email address was found in a recent third-party data breach at [Breached Company]. While our systems were not compromised, your credentials may be at risk if you used the same password elsewhere.
Required Actions:
1. Your [Company] password has been reset. Please set a new unique password.
2. If you used this password on other sites, change those passwords immediately.
3. Enable MFA if you haven't already.
Questions? Contact IT Security at [contact].
Long-Term Prevention
Implement automated credential monitoring to catch exposures before attackers can exploit them.
Educate employees about password hygiene and the risks of credential reuse.