How to find out if your email was in a data breach

There have been thousands of data breaches in the past decade. LinkedIn, Adobe, Dropbox, Yahoo, Facebook, Twitch, Twitter — the list of major platforms that have had user data stolen reads like a directory of the internet. The combined total runs to billions of individual account records.

The question isn’t really whether your email address has appeared in a breach. It probably has. The questions are: which breaches, what data was taken, and what should you do about it.

Have I Been Pwned

Have I Been Pwned (haveibeenpwned.com) is a free service run by Troy Hunt, a well-respected Australian security researcher. It aggregates data from known breaches and allows you to search by email address or phone number to see if your credentials appear in its database.

It currently indexes over 12 billion compromised accounts across hundreds of breaches. The service is free, doesn’t require an account, and is genuinely trustworthy — Troy Hunt has been transparent about how it works and has been recognised by governments and security agencies worldwide.

How to use it

1. Go to haveibeenpwned.com
2. Type your email address into the search box
3. Click “pwned?”
4. Read the results. If you’re in breaches, it will tell you which ones and what data was included
5. Repeat for every email address you use regularly

If it returns a green “Good news — no pwnage found” screen, your email hasn’t appeared in any breach the service has indexed. That doesn’t mean you’re safe — breaches are discovered and added over time, and some never become public — but it’s a good sign.

Understanding the results

If you appear in breaches, the site shows you each one with details on what was compromised. Common data types include:

• Email addresses — almost always included. Your email is now confirmed as valid and active.
• Passwords — if listed, assume they’re being actively tested against other services. Change them immediately.
• Names, dates of birth, phone numbers — useful for identity theft and targeted phishing. Be extra vigilant about unexpected calls or messages.
• IP addresses — reveals your rough location at the time of the breach.
• Security questions and answers — if you use the same security answers across sites, change them.

What to do when you find yourself in a breach

Work through this list in order of priority:

1. Change the password on the specific site that was breached. Use a randomly generated, unique password.
2. Check whether you used the same password anywhere else. If you did, change it on every site that shares it. This is the step most people skip and attackers count on.
3. Prioritise your email account. If your email password matches anything in the breached data, change it immediately. Enable two-factor authentication on your email if you haven’t already.
4. Check your financial accounts for unfamiliar transactions. Attackers often move quickly on financial targets.
5. Set up monitoring. Have I Been Pwned lets you register your email for free notifications whenever it appears in a new breach.

The Pwned Passwords feature

Have I Been Pwned also has a “Pwned Passwords” section that lets you check whether a specific password appears in breach data — without entering your email. This is useful for checking whether a password you’re considering using has been seen in previous breaches.

The check uses a technique called k-anonymity: only the first 5 characters of your password’s SHA-1 hash are sent to the service, and the results are matched locally. Your actual password is never transmitted.

Other breach monitoring services

Have I Been Pwned is the most trusted free option, but there are others worth knowing about:

• Google Password Checkup — built into Chrome and Google accounts. Automatically checks saved passwords against breach databases.
• Apple’s Security Recommendations — in iOS Settings under Passwords, Apple flags passwords that appear in known data leaks.
• Your password manager. Most major password managers (1Password, Bitwarden, Dashlane) include breach monitoring that automatically alerts you when stored passwords appear in new breaches.

Using any of these consistently is significantly better than not checking at all. Breaches are discovered and published continuously — checking once is not enough.