A new study has found the vast majority of users fail to change their passwords after being notified their data was impacted by a security breach.

Virtually everyone has received an email from a credit agency, or a company whose products and services they use, informing them their data was compromised in a breach. Inevitably, those emails include recommendations to change their password. Unfortunately, it appears those warning go largely unheeded.

Sruti Bhagavatula and Lujo Bauer of the Carnegie Mellon University, and Apu Kapadia of the Indiana University Bloomington, conducted a study on the aftermath of data breaches, with a goal to helping companies better mitigate damage.

According to the researchers, “only 21 of the 63 affected participants changed a password on a breached domain after the breach announcement.”

To make matters even worse, “previous work has shown that, on average, a user exactly or partially reuses their passwords on over 50% of their accounts.”

This means that many customers are not only at ongoing risk from the data breach directly impacting them, but their data on other, unrelated sites is also at risk because of reusing passwords.

The study illustrates that companies need to do a far better job of helping customers choose more secure passwords, and engage them post-breach to help them update their passwords and information. Overall, the study is an in-depth look at the challenges companies face in order to better mitigate the impact of data breaches and is a must-read for any security professional.