A strong, unique password doesn't protect you from a breach you had no part in. If a company you have an account with gets hacked, your email and whatever they stored alongside it can end up in a searchable breach database within days — regardless of how careful you were. The good news is there's a free, well-established way to check exactly which breaches your details have shown up in.
What Have I Been Pwned actually is
Have I Been Pwned (HIBP) is a free breach-search service created in 2013 by Troy Hunt, an Australian security researcher, after the Adobe breach exposed 153 million accounts. It has since grown into the standard reference point in the security industry — as of its most recent milestone, it has loaded data from over 1,000 breached websites, and its API is used by password managers, browser extensions, and even national government cybersecurity teams in dozens of countries.
Two different checks — and neither one requires sending your password anywhere
It's worth being precise about how this actually works, since the mechanism matters for trusting it:
- Email/account breach search (the main haveibeenpwned.com search box): you enter your email address, and it tells you which known breaches include that email — along with what type of data was exposed in each one (passwords, dates of birth, physical addresses, etc.). This doesn't touch your actual password at all; it only checks whether your email address appears in the breach records HIBP has indexed.
- Pwned Passwords (a separate tool): lets you or a password manager check whether a specific password has appeared in known breaches, using a technique called k-anonymity — only a partial hash of your password is ever sent, never the password itself or a full match, so the check happens without HIBP (or anyone intercepting the request) ever seeing your actual password.
Phone number search exists but is limited to specific breaches where phone numbers were part of the exposed dataset (such as the 2019 Facebook breach) — it isn't a general phone-number breach search in the same way the email tool works.
One more thing worth knowing: HIBP doesn't make every breach publicly searchable by email by default. Breaches involving sensitive contexts (like adult content sites) are flagged as "sensitive" and only surface through the email notification service you opt into, not the public search box — a deliberate design choice to avoid inadvertently outing someone by simply looking up their own email.
What to actually do if your email shows up
- Check which specific breach(es) it appeared in, and what data type was exposed for each — a breach that exposed only email addresses is a different level of concern than one that exposed passwords, security questions, or physical addresses.
- If a password was exposed and you've reused it anywhere else, change it everywhere you've used it — not just on the breached site. Reused passwords are exactly what turns one breach into several compromised accounts.
- Turn on two-factor authentication (2FA) on the affected account and anywhere else you can, ideally using an authenticator app rather than SMS.
- Consider a password manager if you're not already using one — it removes the incentive to reuse passwords in the first place, which is the underlying problem breach exposure keeps revealing.
Make it a routine, not a one-off
New breaches get added to HIBP regularly, so a single clean check today doesn't mean you're clear in six months. Set a recurring reminder — every 6 months is a reasonable cadence — to re-check your main email addresses, especially any you've used to sign up for services over many years.