4iT IT Support Sydney | Your Reliable Sydney IT Support Partner

Insights & News

Compromised Credentials: What to Do (Australian SME Guide)

If your business credentials have been compromised, the priority order is simple: reset the affected password immediately, confirm multi-factor authentication is enabled, check whether the account has already been misused, then work out how it leaked so it does not happen again. Speed matters, because a leaked credential is only dangerous in the window between the leak and the reset.

Person at an office desk resetting a password on a laptop login screen

Key facts

  • The first action on any compromised credential is a password reset on that account and any other account using the same or a similar password.
  • Multi-factor authentication is what stops a leaked password being enough to log in, so confirming MFA is enabled is the second priority, not an afterthought.
  • Most credential compromises trace back to password reuse or phishing, so fixing the root cause matters as much as the immediate reset.
  • Business email compromise, often starting from a stolen login, is consistently among the costliest cybercrimes reported by Australian businesses (ASD Annual Cyber Threat Report 2024-25).
  • If personal information was exposed, the Notifiable Data Breaches scheme may require you to notify the OAIC and affected individuals when serious harm is likely.

What should you do first when a credential is compromised?

Reset the password on the affected account straight away, and do it properly: a new, unique password not used anywhere else. If the same password was used on other accounts, reset those too, because attackers will try it everywhere. This is the single most time-sensitive step, because a leaked credential is only useful to an attacker until the moment you change it. Do not wait to investigate how it happened before you reset. Reset first, investigate second.

Why is checking MFA the next step?

Multi-factor authentication is what makes a stolen password insufficient on its own, so the moment after a reset is the right time to confirm it is switched on. If MFA was already enabled, a leaked password alone would not have let an attacker in, which limits the damage and tells you the exposure is lower risk. If MFA was not enabled, that is the real finding: the account was one correct password away from compromise, and now you know to fix it. In our experience the accounts that get exploited after a leak are almost always the ones where MFA was never turned on.

How do you check whether the account was already misused?

Look for signs the credential was used before you caught it. On a Microsoft 365 account, that means checking recent sign-in activity for unfamiliar locations or devices, and looking for mailbox rules you did not create, because attackers commonly set up rules that auto-forward or hide emails to run invoice fraud quietly. Check for sent messages you did not send and changes to account recovery details. If you find any of this, treat it as an active incident rather than a near miss, and get your IT provider involved to contain it properly. This is the point where a managed provider earns their keep, because knowing where to look comes from having done it before.

How do you stop it happening again?

Fix the root cause, which is usually one of two things: password reuse or phishing. For reuse, a password manager that generates unique passwords per account removes the domino effect where one breach exposes many logins. For phishing, staff awareness training and technical controls like conditional access reduce both the odds of a credential being handed over and the damage if one is. Turning on dark web monitoring also gives you early warning next time, so a leaked credential surfaces as an alert you action rather than a compromise you discover after the fact. The reset deals with today. These deal with the next one.

Do you have to report a credential breach in Australia?

You may have to, depending on what was exposed. Under the Notifiable Data Breaches scheme, businesses covered by the Privacy Act 1988 must notify the Office of the Australian Information Commissioner and affected individuals when a data breach is likely to result in serious harm. A single compromised staff login that you reset before any data was accessed may not meet that threshold, but a compromise that exposed customer personal information likely does. If you are unsure whether an incident is notifiable, that is a point to get advice rather than guess, because getting the notification decision wrong carries its own risk.

Frequently asked questions

How do I know if my business credentials have been compromised?

Common signals are a dark web monitoring alert, a notification from a service that suffered a breach, unexpected login activity, or staff reporting they cannot access an account whose password was changed without them. Dark web monitoring is the way to find out proactively rather than after misuse, because it flags credentials circulating in breach data before an attacker gets around to using them.

Should I reset passwords before or after investigating?

Reset first. The reset closes the window of exposure immediately, and investigation can follow safely once the credential is no longer usable. The only exception is where your IT provider is actively running an incident response and asks you to hold off briefly so they can capture evidence, but for most SMEs the right instinct is to reset without delay.

Is a compromised password a data breach I have to report?

Not always. It depends whether personal information was likely accessed and whether serious harm is likely, which is the test under the Notifiable Data Breaches scheme. A login you reset before anything was accessed may not be notifiable, while a compromise exposing customer data probably is. When in doubt, seek advice rather than assume.

Will changing the password fix everything?

It fixes the immediate access, but not always the whole problem. If an attacker used the credential before you reset it, they may have set up mailbox rules, created other access, or taken data already. That is why checking for misuse after the reset matters, and why serious compromises need proper investigation rather than a password change and a hope.

If you have had a credential exposed and want to be sure the account is properly secure rather than just reset, we can help you check properly. Call 4iT on 1800 367 448 or book a chat, and we will make sure nothing was left open.

Brett Muscio

About the author

Brett Muscio is the Director of 4iT Support Pty Ltd, a managed services provider based in Castle Hill, NSW. He works with SME clients across Sydney, Melbourne, and Brisbane on cybersecurity, including credential monitoring, incident response, Microsoft 365 hardening, and multi-factor authentication, with on-site support across the Sydney metro area and remote delivery nationally. Connect on LinkedIn.

Recent Posts

Scroll to Top