// security
Security

What happens in the first 24 hours after a breach

From the moment data is stolen to the moment it's sold. A timeline of how breaches unfold, how security teams should respond and what this means for your personal accounts when you're on the other side.

April 11, 20267 min readBy Baris Ayarkan
X / Twitter LinkedIn Facebook

Two perspectives: company and individual

The first 24 hours of a breach look very different depending on whether you're the company that was breached or the person whose data was taken. Both perspectives matter, the company's response determines how much damage is done; the individual's response determines how much of that damage touches them personally.

🏢 For the breached company

  • Rapid containment limits further data exfiltration
  • Evidence preservation is critical for legal and forensic response
  • Communication timing affects regulatory exposure
  • Every hour of delay increases potential damage

👤 For you, the affected user

  • You often won't know for hours, days, or weeks
  • Breach monitoring services give you an earlier warning
  • Immediate credential rotation limits what attackers can do
  • Proactive defenses (MFA, unique passwords) work even without warning

The company timeline: hour by hour

Good incident response is defined by how quickly a team moves through five phases: detect, contain, scope, communicate, recover.

H0–4

Detect and contain

  • Verify the activity is real, not a false alert
  • Isolate affected systems to stop ongoing exfiltration
  • Preserve logs and forensic evidence do not wipe or overwrite
  • Assign a single incident owner with decision authority
  • Alert legal, executive leadership, and IR team
H4–12

Scope and stabilize

  • Map which systems and data were touched
  • Rotate high-risk credentials service accounts, admin access
  • Bring in external IR firm if internal resources are insufficient
  • Assess whether attackers still have access
  • Begin drafting regulatory notification (GDPR: 72 hours; state laws vary)
H12–24

Communicate and document

  • Prepare leadership updates with what's known and what isn't
  • Decide on external disclosure timing and messaging
  • Document every action and decision for legal and regulatory purposes
  • Notify affected users if data scope is confirmed
  • Stand up a dedicated response process for the recovery phase
⚠️
The most expensive mistake: delaying notification

Under GDPR, organizations have 72 hours to notify regulators after becoming aware of a breach. US state notification laws vary but most require "prompt" disclosure. Companies that delay to minimize PR damage often compound their legal exposure significantly.

What to do when you hear about a breach

As an individual affected by a breach, you're usually working with less information and more delay. The company may know within hours you might not hear for weeks. That's why proactive defenses matter more than reactive ones.

When you do hear about a breach affecting one of your accounts:

  1. Change the password immediately even before the company confirms what was taken.
  2. Check for reuse if that password was used anywhere else, change it there too.
  3. Enable or upgrade 2FA on the affected account if it's not already on.
  4. Watch for phishing breaches are often followed by targeted phishing campaigns using the stolen data to seem more convincing.
  5. Monitor for downstream fraud if the breach included financial or identity data, watch your credit and financial accounts.
💡
Proactive defenses work even without notification

If every account has a unique password and MFA enabled, a breach at any one service can't cascade to others. You don't need to know about the breach before the attacker acts, your defenses are already in place.

Get breach alerts before attackers act

DataLeakz monitors breach data continuously and notifies you when your email appears in new leaks.

Start free monitoring →

Common questions

How long does it usually take for a company to notify users after a breach?

It varies widely. GDPR requires notifying regulators within 72 hours of discovery, but user notification can take longer. Some companies notify within days; others take weeks or months. The average time between a breach occurring and it being publicly disclosed has historically been measured in months not hours.

If a company was breached, should I change my password even if they say passwords weren't taken?

Yes, especially early in the incident. Companies often don't have full scope in the first 24–48 hours. Disclosed scope tends to expand as forensic investigation continues. Changing your password costs you 30 seconds; not changing it when you should have can cost much more.

What's an incident response playbook and should I have one?

If you run any kind of product or service that handles user data, yes. An IR playbook is a pre-written checklist of what to do, who to call, and what to document when an incident happens. Writing it before you need it is the most valuable thing, the first day of a breach is the worst time to invent your process from scratch.

Sources

  1. CISA Cybersecurity Incident & Vulnerability Response Playbooks
  2. CISA planning, response, and recovery overview
  3. FTC Data Breach Response Guide for Business
  4. CISA incident-reporting references and guidance
// read next
Breach Analysis How dark web credential markets actually work Apr 4, 2026 · 8 min read Guide The 10-minute security audit every person should do Apr 5, 2026 · 6 min read Breach Analysis What the National Public Data breach means for you Apr 1, 2026 · 8 min read