What to Do When Employee Emails Appear in a Data Breach

A practical guide to responding when employee email addresses are found in a data breach. Covers how to check for exposures, the 24-hour response actions, GDPR notification obligations, and longer-term remediation.

·6 min read
When employee email addresses appear in a data breach, the immediate priority is forced password resets for affected accounts — before investigating the scope of the breach further. Assume the password is compromised even if the employee believes they do not reuse passwords: credential reuse is the norm, not the exception. In parallel, enable MFA on affected accounts, assess whether the breach data includes personal information that triggers GDPR notification obligations, and audit OAuth grants on affected accounts for any AI or third-party tools that may now have access via a compromised credential.
197 days
avg time to detect a credential breach
65%
of people reuse passwords across accounts
80%
of breaches involve a weak or reused credential
72 hrs
ICO notification window for high-risk breaches

How to check if employee emails have been exposed

Start with HaveIBeenPwned (haveibeenpwned.com). Individual email addresses can be searched for free. If you are the verified owner of a domain, you can search all email addresses under that domain at once via the domain search feature — this is free for verified domains and gives you a complete picture of which addresses appear in publicly known breaches.

HaveIBeenPwned indexes major public breaches but does not cover all breach data — particularly private breach databases and credential stuffing lists that circulate on dark web forums. Commercial tools including Governably, SpyCloud, and various dark web monitoring services provide broader coverage, including breaches that have not been publicly disclosed.

Make domain monitoring a standing process, not a one-off check. Set up breach notifications (available in HaveIBeenPwned's domain monitoring feature, and in commercial tools) so you are alerted when new breaches include your domain — rather than discovering the exposure months or years later.

24-hour actions

These actions should happen within 24 hours of confirming an exposure:

  1. Force password reset on all affected accounts. Do not wait for the employee to do it voluntarily — use your admin console (Google Workspace or Microsoft 365) to force a reset at the next login.
  2. Verify MFA status on affected accounts. If MFA is not enabled, enable it before the employee logs back in. A compromised password with MFA enabled is far less dangerous than a compromised password without it.
  3. Audit active sessions. In Google Workspace: Admin Console → Users → select user → Security → Review activity. In Microsoft 365: Entra admin centre → Users → select user → Sign-in logs. Revoke active sessions for affected accounts.
  4. Notify affected employees. Explain what happened in plain language, what you have done, and what they need to do (complete the password reset, check personal accounts that may share the same password). Avoid blame — focus on response.
  5. Document the incident. Record when you became aware of the breach, what data was exposed, which accounts were affected, and the actions taken. This record is essential for any GDPR assessment.

Assessing the risk level

Not all credential exposures carry the same risk. Assess each exposure on three dimensions:

  • What was exposed? An email address alone is low risk. An email address with a password hash is moderate. An email with a plaintext password is high. An email with a password plus financial data, personal data, or security questions is very high.
  • How old is the breach? A recent breach is more dangerous than an old one, but old breaches are not safe — credential stuffing attacks use years-old breach data against current accounts, particularly where employees have not changed passwords.
  • What access does the affected account have? A breach of a standard employee account is serious. A breach of an IT admin or senior executive account is critical — these accounts have elevated privileges and broader data access.

GDPR notification obligations

If the breach involves personal data of employees or clients, you need to assess whether UK GDPR notification is required. The test is not whether a breach occurred — it is whether the breach is likely to result in a high risk to the rights and freedoms of affected individuals.

Factors that increase the risk level: sensitive personal data exposed (financial, health, identity documents), passwords exposed (enabling account takeover), large number of individuals affected, and data exposed to malicious actors rather than accidentally published.

If the threshold is met: notify the ICO within 72 hours of becoming aware of the breach (report at ico.org.uk/report-a-breach). Notify affected individuals "without undue delay." Document your assessment — even if you conclude notification is not required, document why.

If you are unsure whether the threshold is met, err on the side of notification or seek legal advice. The ICO's guidance on self-assessment is available at ico.org.uk.

Longer-term remediation

Once the immediate response is complete, use the incident to drive longer-term improvements:

  • Enforce MFA across all accounts, not just affected ones — most businesses should have done this before an incident forces it
  • Introduce a password manager for all employees to reduce credential reuse
  • Review OAuth grants on affected accounts — a compromised credential may have been used to authorise third-party applications (including AI tools) before the breach was detected
  • Run a full credential exposure check across all email domains you control, not just the one where the breach was found
  • Set up ongoing breach monitoring so future exposures are detected in hours rather than months

How Governably helps

Governably runs ongoing credential exposure monitoring across your email domains, alerting you when addresses appear in new breaches and providing context on what data was exposed and what the risk level is. It combines breach data with your OAuth grant audit to identify cases where a compromised account may have already been used to authorise AI tools with sensitive data access — giving you a complete picture rather than an isolated data point.

Frequently asked questions

How do I check if employee emails have been in a data breach?

Use HaveIBeenPwned (haveibeenpwned.com) — verified domain owners can search all addresses under their domain at once for free. Commercial tools including Governably offer broader coverage including private breach databases and credential stuffing lists.

What is the first thing to do when an employee email is found in a breach?

Force a password reset on the affected account immediately via your admin console. Do not wait for the employee to do it voluntarily. Verify MFA is active before they log back in, and audit active sessions for the affected account.

Does finding employee emails in a breach trigger GDPR notification obligations?

It depends on what was exposed and the risk to affected individuals. Breaches exposing passwords, financial data, or personal data that creates risk to employees must be assessed against the ICO notification threshold. If the risk is high, notify the ICO within 72 hours and inform affected individuals without undue delay.

How do I know if the same password is used for work accounts?

You cannot know for certain — treat any breach of a work email address as a credential risk and enforce a reset regardless. Password reuse across personal and work accounts is extremely common. Check whether breach records include the actual password, which indicates higher immediate risk.