IT KORR Knowledge Center
Password Incident Response Checklist
Immediate steps to take when a password compromise is suspected or confirmed.
Immediate Actions (First Hour)
- Change the affected password immediately, using a newly generated, unique value.
- Revoke active sessions for the affected account across all applications.
- Check for any password reuse — if the compromised password was used elsewhere, change it there too.
- Enable or verify MFA is active on the affected account.
Investigation
- Review sign-in logs for the affected account for unfamiliar locations, devices, or times.
- Check for any unauthorized changes made during the suspected compromise window (forwarding rules, permission changes, new app registrations).
- Determine the likely source — phishing, credential stuffing from a third-party breach, malware, or physical exposure.
Containment and Recovery
- Notify IT/security leadership per the organization's incident response process.
- If the account had access to sensitive systems or data, assess scope of potential exposure.
- Document the incident, the response taken, and the timeline.
After the Incident
Review whether the incident reveals a broader gap — a missing MFA requirement, a password reuse pattern, or a training gap — and feed that finding back into the organization's written password policy and awareness program.
Related Resources
- Security Assessment Services — /services/security-assessment-services