Critical

Data Breaches

Find out if your email or passwords have already been stolen — and get alerted the moment they are in the future.

My recommendation

Have I Been Pwned

The most trusted data breach monitoring service. Free, run by a respected security researcher, and used by governments and companies worldwide.

Check Your Email Now
  1. 1

    Check if your email has been breached

    Go to haveibeenpwned.com and enter your email address. The site will show you every known data breach that included your email. Do this for every email address you use.

  2. 2

    Check if your passwords have been exposed

    Go to haveibeenpwned.com/Passwords and check any passwords you use. The site uses a clever privacy technique — it never sees your actual password, only a partial hash. If a password appears, stop using it immediately everywhere.

  3. 3

    Set up free breach notifications

    On the main page, click "Notify me" and enter your email address. You’ll receive an email alert the moment your address appears in any new breach. It’s free and takes 30 seconds.

  4. 4

    Change passwords for any breached accounts

    For every account that appears in a breach, log in and change the password. Use your password manager to generate a new strong, unique password. If you reused that password anywhere else, change it there too.

  5. 5

    Enable 2FA on breached accounts

    After changing the password, add two-factor authentication to any account that was breached. See my 2FA guide for how.

💡
Don't panic if you see breaches

Most people have appeared in at least one breach. The important thing is to act: change the password, enable 2FA, and move on. Knowing is better than not knowing.

What is a data breach?

A data breach occurs when hackers gain unauthorized access to a company’s database and steal user records. These records typically include email addresses, passwords (often encrypted, but sometimes not), names, phone numbers, and other personal information. The stolen data is then sold on dark web marketplaces or used directly for fraud.

Data breaches happen constantly. In 2024 alone, billions of records were exposed across hundreds of breaches at companies ranging from healthcare providers to retailers to social media platforms. If you’ve been online for more than a few years, it is almost certain that at least one of your accounts has been involved in a breach.

About Have I Been Pwned

Have I Been Pwned (HIBP) was created in 2013 by Troy Hunt, a respected Australian security researcher and Microsoft Regional Director. The site aggregates data from known breaches and allows anyone to check whether their email address or password appears in the exposed data.

HIBP is trusted by governments, cybersecurity companies, and major technology firms. The FBI and the UK’s National Crime Agency contribute breach data to the service. It is free for individuals and has been used to notify hundreds of millions of people about breaches affecting them.

How the password check works (without exposing your password)

When you check a password on HIBP, the site uses a technique called k-anonymity. Your browser converts your password into a cryptographic hash, then sends only the first 5 characters of that hash to the server. The server returns all hashes that start with those 5 characters, and your browser checks locally whether your full hash is in the list. The server never sees your actual password or its full hash. It’s a clever privacy-preserving design.

Further Reading