A company just told you your password was exposed in a breach, or your password manager flagged a login as compromised. You want to lock everything down fast, in the right order, without missing a step.
Here is the plan. Change your most important passwords first, on a device you trust, using the exact menu paths below. Start with the email account that controls every other reset, then work outward to money, identity, streaming, and social.
Two ground rules before you begin. If you still know your current password, you change it in place. If you do not, you use the reset or recovery flow instead. And if a device keeps re-prompting you to change a password, that can signal malware, so run antivirus and remove unwanted software before you trust any new credential.
Start With Your Primary Email Account
Email is the reset channel for almost everything else, so secure it first. If an attacker controls your inbox, changing other passwords accomplishes little.
To change a Google or Gmail password you still know: go to myaccount.google.com and sign in, select Security & sign-in at the top left, then under How you sign in to Google click Password. Sign in again if prompted, enter the new password, and select Change Password. You will be signed out everywhere except devices used for verification, apps you granted access to, and smart-home devices.
If you cannot sign in, use the account recovery page at accounts.google.com/signin/recovery and follow the prompts to prove you own the account. Check spam or bulk folders if the verification email does not arrive, and choose a password you have not used before on this account.
Lock Down a Hacked Google Account Completely
If the breach involved your Google account itself, a new password is only part of the job. Attackers leave behind quiet ways back in.
- 1.At myaccount.google.com go to Security & sign-in, and under Recent security events choose Review security events. For anything you do not recognize, select No, it wasn't me.
- 2.Under Your devices choose Manage devices; for unrecognized devices choose Don't recognize a device? and follow the steps.
- 3.Change your password (and change it anywhere you reused the same one).
- 4.Review your mail settings for unauthorized forwarding rules, filters, and delegated access that an attacker may have planted.
- 5.Turn on 2-Step Verification, then run antivirus and contact your bank if financial information was exposed.
Find Every Reused and Compromised Password
A breach rarely affects one account. Reused passwords spread the damage, so audit them in one pass.
In Chrome: open More (top right) > Passwords and autofill > Google Password Manager, then select Checkup on the left. In any other browser, go to passwords.google.com, select Go to Password Checkup, then Check passwords. Review the three categories (compromised, weak, reused) and change every compromised password immediately on the affected site.
Change Your Apple Account Password
On iPhone, iPad, Apple Watch, or Apple Vision Pro: open Settings > [your name] > Sign-In & Security > Change Password, then follow the prompts to enter your device passcode and set the new password.
On a Mac: choose Apple menu > System Settings, click [your name] > Sign-In & Security > Change Password, and enter the password you use to unlock your Mac.
On the web you can sign in at account.apple.com and open Sign-In and Security > Password, but when possible the site redirects you to a trusted device to finish the change. If you forgot the password and have no trusted device, go to iforgot.apple.com, or open the Apple Support app on a borrowed device and choose Support Tools > Reset Password > Help Someone Else.
Update Your Microsoft Account
On the web: go to account.microsoft.com, open Security, select the Change password link, enter the new password, and select Save. You can optionally tick the box to be prompted to update your password every 72 days.
From inside Windows: open Settings > Accounts > Sign-in options, select Password > Change, and follow the prompts. If you are locked out at sign-in, choose I forgot my password, or reset from any browser at account.live.com/ResetPassword.aspx. For a work or school account, use myaccount.microsoft.com.
Reset a Yahoo Password
On desktop or mobile web: go to the Yahoo Account security page at login.yahoo.com/account/security, click Password under Ways of signing in, enter the new password, and click Continue. If Account Key is turned on, you may need to turn it off first.
In the Yahoo app: tap your profile icon, open Manage Accounts then Account Info, tap Security, scroll to Change password, and confirm. Forgot it entirely? Use the Yahoo Sign-in Helper, enter your recovery email or phone, and follow the prompts.
Secure Financial Accounts From a Clean Device
For banking, do this from a device you know is clean, because malware on the original device can capture the new password too. Exact menu paths vary by institution, so the reliable sequence is: contact the bank directly, change your online-banking password, enable multi-factor authentication, turn on transaction alerts, and review recent activity.
For PayPal, you must use the website; the change cannot be done in the app. Go to your Settings on paypal.com, click the Security tab, select Update next to Password, confirm your current password, enter the new one twice, and click Change Password. The direct path is paypal.com/myaccount/settings/security.
Reset Streaming and Shopping Accounts
For Netflix while signed in, go to netflix.com/password, enter a strong new password (8 or more characters mixing case, numbers, and symbols), keep the option to sign out of all devices ticked, and save. You cannot change it while a Kids profile is active. If you forgot it, use netflix.com/loginhelp and pick email (link expires in 24 hours) or text message (code expires in 20 minutes). Signing out of all devices is not instant and can take up to eight hours.
For shopping accounts such as Amazon, sign in and open your account's login and security settings, then edit the password field. After resetting it, sign back in on the devices you want to keep using, and use the Forgot Password option on the sign-in page if you do not know the current password.
Change Social Media Passwords
For accounts like Facebook, Instagram, and X, the path runs through the app or web settings under your account's security or password section, where you enter the current password and the new one. As a general rule these services log you out of other active sessions when you change the password while keeping your current one signed in. If you cannot recall the password, use the service's own forgotten-password link from its sign-in page rather than guessing.
Harden Every Account You Just Changed
Changing passwords is necessary but not sufficient after a breach. Turn on multi-factor authentication everywhere it is offered, favoring authenticator apps or hardware security keys over text-message codes. To enable it on Google, go to myaccount.google.com > Security & sign-in and select Turn on 2-Step Verification.
Then protect your identity beyond logins: place a free fraud alert with a credit bureau, pull your free reports at annualcreditreport.com, and report identity theft to the Federal Trade Commission at 1-877-438-4338.
Frequently Asked Questions
Which account should I change first after a breach? Secure your primary email account first. Email is the reset channel for nearly every other account, so locking it down prevents an attacker from resetting your other passwords. Then move to financial accounts, identity-related logins, and the rest.
I do not know my current password. Can I still change it? Not directly. To change a password in place you need the current one (or your current device passcode). If you do not have it, use the reset, forgot-password, or account-recovery flow instead, which is available for Google, Apple, Microsoft, Yahoo, and Netflix.
Why does Apple make me wait an hour to change my password? With Stolen Device Protection enabled, Apple can require a one-hour delay before you change your account password or other critical security settings when you are away from a familiar location. This is a deliberate safeguard against a thief who has your passcode.
Why can I not change my PayPal password in the app? PayPal does not support changing your password or security questions in its app. You must use the paypal.com website, specifically the Security tab in your Settings.
My device keeps asking me to change my password. Is that normal? Being repeatedly prompted can indicate malware on the device that keeps capturing your credentials. Update your antivirus, remove any unwanted software, and only then set and trust a new password.
Does changing my password sign out everyone else? Usually. Most services sign you out of other active sessions when you change the password while keeping your current session active. Some, like Netflix, require you to tick a "sign out of all devices" option, and that sign-out can take up to eight hours to complete everywhere.
