Data Breach Detected — The First 48 Hours

Updated May 2026 · Incident Response · 8 min read

Table of Contents

What the finding tells you
The first 48 hours
Longer-term hardening
How to communicate with affected users

When GuardHound flags a breach against your domain, it means user emails or credentials tied to your domain have appeared in a public breach corpus (XposedOrNot). The first 48 hours determine whether this is a contained incident or a full account-takeover wave.

What the finding tells you

The XposedOrNot dataset aggregates public breach corpora (Collection #1, RockYou2021, individual disclosed breaches). When emails on your domain appear, it usually means one of two things: a third-party site your users registered on with their work email got breached, or your own service was breached and the data is now public.

Click each linked breach name in the report to see the breach date, exposed data classes (passwords, hashes, tokens, PII), and the source.

The first 48 hours

Scope it. Pull the list of affected emails. Are they just personal accounts your team registered on third-party sites, or are they your own customers?
Force password reset for every affected account that pre-dates the breach date. Many people reuse passwords across services.
Rotate any exposed tokens or API keys. If a breach exposed session tokens or OAuth credentials, those are still valid until revoked.
Check for active intrusion. Audit recent logins, API access, and admin actions for the affected accounts. Look for unfamiliar IP addresses and impossible-travel patterns.
Notify users per your jurisdiction’s breach-notification rules — GDPR (72 h), CCPA, HIPAA, etc. Even when not legally required, transparency builds trust.

Longer-term hardening

Mandate MFA on all internal accounts. Most credential-stuffing attacks are stopped cold by a second factor.
Implement password-reuse detection at login (Pwned Passwords API) so users with breached passwords can’t set them again.
Move from password+SMS to password+TOTP or passkeys for high-privilege accounts.
Subscribe to GuardHound monitoring so the next breach surfaces within an hour, not from a customer report.

How to communicate with affected users

Be specific: which breach, which data was exposed, what they should do. Don’t conflate “your password was exposed in BreachX” with “we were breached.” Provide a clear action: “Reset your password here, enable MFA here.” Resist the temptation to minimize — users hate vague “we take security seriously” emails far more than direct ones.

Run a free scan to find issues like this on your domain

GuardHound checks SSL, DNS, breaches, CVEs, lookalikes, hosting reputation, and more in under 30 seconds.

Start Free Scan →

Frequently Asked Questions

Was my own service breached?

Not necessarily. The breach may have hit a third party where your users registered with their work email. Read the linked breach details — the source describes which service was actually compromised.

How accurate is XposedOrNot?

It aggregates well-known public breach corpora. False positives are rare for breach existence, but the exposed data classes are best-effort — verify against the original disclosure when planning remediation.

Should I report to law enforcement?

For breaches you suffered (vs ones that hit a vendor), yes — most jurisdictions require notification of relevant authorities (ICO in the UK, state AGs in the US). Talk to legal counsel.