I automated data breach response - changing 50 passwords in 30 minutes instead of 8 hours

The Password App — Fri, 26 Dec 2025 00:32:16 +0000

Last month I got the email everyone dreads: "Your account may have been compromised in a data breach."

I checked. Same password on 47 other sites.

Manually changing 47 passwords takes 4-8 hours. I did it in 30 minutes. Here's how.

The math that made me automate this

Accounts	Manual time	Automated
10	1-2 hours	10 min
25	2-4 hours	20 min
50	4-8 hours	40 min
100	8-16 hours	1.5 hours

Each manual password change:

Open site, log in (30 sec)
Navigate to settings (20 sec)
Find password section (15 sec)
Generate new password (10 sec)
Enter old + new password (20 sec)
Submit, verify (15 sec)
Update password manager (20 sec)

~2.5 minutes per site. Times 50 sites. You see the problem.

The 72-hour window

Security researchers call it the "golden window" - the 72 hours after breach disclosure when:

Credentials haven't hit dark web marketplaces yet
Attackers are still processing the data
You can get ahead of the damage

After 72 hours, your leaked password is being tested against thousands of sites by automated credential stuffing tools.

How I automated password rotation

I built an AI agent using browser-use (89% benchmark score, open source).

The flow:

from browser_use import Agent

async def rotate_password(site: str, old_pass: str, new_pass: str):
    agent = Agent(
        task=f"""
        Go to {site}
        Navigate to account settings
        Find password change section
        Call enter_current_password() for old password field
        Call enter_new_password() for new password fields
        Submit and verify success
        """,
        llm_model="gpt-4o"
    )

    # Credentials injected locally - AI never sees actual passwords
    result = await agent.run(
        sensitive_data={
            "current_password": old_pass,
            "new_password": new_pass
        }
    )
    return result

The key security insight: the AI navigates the UI, but credentials are injected locally. The LLM never sees your actual passwords.

Priority system for breach response

Not all accounts are equal. Here's how I prioritize:

Priority	Type	Examples	Why
P0	Financial	Banks, PayPal	Direct money loss
P0	Email	Gmail, work email	Password reset gateway
P1	Cloud	iCloud, Dropbox	Sensitive documents
P2	Shopping	Amazon, eBay	Stored payment methods
P3	Social	Twitter, LinkedIn	Reputation
P4	Misc	Forums, loyalty	Lower impact

P0 accounts first. Always.

Handling the edge cases

2FA prompts: Agent pauses, you complete 2FA, agent continues.

Agent paused: MFA required for chase.com
Please complete verification in browser window.
[Continue] [Skip]

CAPTCHAs: Same pattern - agent pauses for human solve, then continues.

Site-specific password rules: Agent adapts generation:

# Site requires 8-16 chars, no symbols
password = generate(
    min_length=8,
    max_length=16,
    symbols=False  # Adapted for this site
)

Anti-bot protection: Use your real Chrome profile with cookies/history. Success rate jumps from 60% to 90%.

The results

Tested on 100+ sites:

89% success rate (automated fully)
8% required human intervention (CAPTCHAs, unusual flows)
3% failed (heavy anti-bot, manual only)

Time for 50 accounts: 32 minutes (with ~15 2FA prompts)

Why local execution matters

Every cloud-based automation tool (Operator, Claude CUA) sends screenshots to external servers. For password changes, that means:

Your bank login screen → OpenAI's servers
Your credentials being typed → visible to provider
Every site you use → logged somewhere

For breach response, I want zero data leaving my machine.

The tool I built

I packaged this into a Mac app: thepassword.app

Import CSV from any password manager
AI rotates passwords (visible browser, you watch it work)
Export new passwords back to your manager
Everything runs locally

Free tier: 5 passwords/month. Unlimited: $2.99/month.

Your breach response checklist

First hour:

[ ] Identify what was breached
[ ] Enable login alerts on bank + email
[ ] Check password reuse

First 24 hours:

[ ] Change P0 accounts (financial, email)
[ ] Enable 2FA everywhere
[ ] Review recent account activity

First 72 hours:

[ ] Rotate all reused passwords
[ ] Update password manager
[ ] Set up credit monitoring if needed

Have you automated any part of your security workflow? What's your breach response process look like?

DEV Community: The Password App