BREACH is an instance of the CRIME attack against HTTP compression—the use of gzip or DEFLATE data compression algorithms via the content-encoding option within HTTP by many web browsers and servers. Given this compression oracle, the rest of the BREACH attack follows the same general lines as the CRIME exploit, by performing an initial blind brute-force search to guess a few bytes, followed by divide-and-conquer search to expand a correct guess to an arbitrarily large amount of content. Wikipedia
Disable HTTP compression completely or at least on pages where a secret (like a session cookie) is being transferred. Disabling compression whenever the referrer header indicates a cross-site request, or when the header is not present is another suggested approach. Generally, CSRF protection methods can be used as mitigation.