Privacy & Data · Global

How to Check If Your Email or Password Was Exposed in a Data Breach (Have I Been Pwned, Explained Properly)

A strong, unique password doesn't protect you from a breach you had no part in. If a company you have an account with gets hacked, your email and whatever they stored alongside it can end up in a searchable breach database within days — regardless of how careful you were. The good news is there's a free, well-established way to check exactly which breaches your details have shown up in.

What Have I Been Pwned actually is

Have I Been Pwned (HIBP) is a free breach-search service created in 2013 by Troy Hunt, an Australian security researcher, after the Adobe breach exposed 153 million accounts. It has since grown into the standard reference point in the security industry — as of its most recent milestone, it has loaded data from over 1,000 breached websites, and its API is used by password managers, browser extensions, and even national government cybersecurity teams in dozens of countries.

Two different checks — and neither one requires sending your password anywhere

It's worth being precise about how this actually works, since the mechanism matters for trusting it:

Phone number search exists but is limited to specific breaches where phone numbers were part of the exposed dataset (such as the 2019 Facebook breach) — it isn't a general phone-number breach search in the same way the email tool works.

One more thing worth knowing: HIBP doesn't make every breach publicly searchable by email by default. Breaches involving sensitive contexts (like adult content sites) are flagged as "sensitive" and only surface through the email notification service you opt into, not the public search box — a deliberate design choice to avoid inadvertently outing someone by simply looking up their own email.

What to actually do if your email shows up

  1. Check which specific breach(es) it appeared in, and what data type was exposed for each — a breach that exposed only email addresses is a different level of concern than one that exposed passwords, security questions, or physical addresses.
  2. If a password was exposed and you've reused it anywhere else, change it everywhere you've used it — not just on the breached site. Reused passwords are exactly what turns one breach into several compromised accounts.
  3. Turn on two-factor authentication (2FA) on the affected account and anywhere else you can, ideally using an authenticator app rather than SMS.
  4. Consider a password manager if you're not already using one — it removes the incentive to reuse passwords in the first place, which is the underlying problem breach exposure keeps revealing.

Make it a routine, not a one-off

New breaches get added to HIBP regularly, so a single clean check today doesn't mean you're clear in six months. Set a recurring reminder — every 6 months is a reasonable cadence — to re-check your main email addresses, especially any you've used to sign up for services over many years.