Billions of email addresses and passwords have been exposed in data breaches over the years — from major leaks at LinkedIn, Adobe, Dropbox, and dozens of other services. The chances are at least one of your accounts has been caught up in a breach at some point. The good news is there is a free tool that lets you check in seconds, and taking action is straightforward once you know what to look for.
How to Check Using Have I Been Pwned
The most reliable and widely trusted tool for checking exposed credentials is Have I Been Pwned, run by security researcher Troy Hunt. It holds a database of over 12 billion compromised accounts gathered from known data breaches.
- Go to haveibeenpwned.com in your browser.
- Enter your email address in the search box.
- Click pwned?
- The site will tell you whether your email address appears in any known breaches, and which ones.
If you see a red result, your email address was found in one or more breaches. It will show you the name of each breach, when it occurred, and what data was exposed — which might include your email, password, name, phone number, or other details.
A green result means your email was not found in any known breaches in their database. It does not guarantee you have never been breached — just that your address has not appeared in any of the datasets they have collected.
How to Check If a Specific Password Has Been Leaked
Have I Been Pwned also lets you check whether a specific password has appeared in a breach — without ever sending your actual password to the site.
- Go to haveibeenpwned.com/Passwords.
- Type the password you want to check into the search box.
- Click pwned?
The site uses a technique called k-anonymity: it only sends the first five characters of a hashed version of your password to check against the database. Your actual password never leaves your device. If the result shows a number greater than zero, that exact password has appeared in a breach. Stop using it immediately on any account where it is active.
What to Do If Your Email or Password Was Found
Finding your details in a breach sounds alarming, but most of the time the breach happened years ago and the immediate risk has passed. Here is what to do:
1. Change your password on the affected service
Log in to the service named in the breach and change your password immediately. Use a long, unique password that you do not use anywhere else.
2. Change the same password everywhere else you used it
Password reuse is the biggest risk from data breaches. If you used the same password on multiple sites, attackers will try it on all of them — a technique called credential stuffing. Change it on every site where you used that password.
3. Enable two-factor authentication
Once your password is changed, set up two-factor authentication on the account. Even if your new password is later leaked, attackers still cannot get in without the second factor.
4. Check for any suspicious activity
Log in to the affected account and check recent activity — sign-in history, sent emails, purchases, or any changes to account details. If you spot anything you did not do, change your password immediately and check whether any connected accounts have been affected.
Can I Set Up Alerts for Future Breaches?
Yes. Have I Been Pwned offers a free notification service. Enter your email address on the site and click Notify me. If your email address appears in a future breach, you will receive an alert automatically. This is worth setting up for all email addresses you use regularly — personal, work, and any old addresses you still have active.
Using a Password Manager to Prevent the Problem
The root cause of most credential breach damage is password reuse. If every account uses a unique, randomly generated password, a breach at one site cannot be used to access any other. A password manager generates and stores unique passwords for every account automatically — you only need to remember one master password.
Many password managers — including 1Password and Bitwarden — also have built-in breach monitoring that alerts you when any of your stored credentials appear in a new breach database.
What If I Find Dozens of Breaches?
Do not panic. If you have been online for more than a decade, finding your email in several breaches is common. Work through the list methodically: change passwords on the most sensitive accounts first — email, banking, Microsoft, Google — then work through the others. As long as you use unique passwords going forward, the risk from old breaches is largely contained.
If you are concerned a recent breach has led to unauthorised access to your accounts, read our guide on what to do if you think you have been hacked for the immediate steps to take.
