Every year, companies large and small experience data breaches where usernames, email addresses, and sometimes passwords are stolen. You may have been affected without ever knowing. Checking is free and takes about a minute.

The Free Tool: Have I Been Pwned

HaveIBeenPwned.com is a free, reputable service run by security researcher Troy Hunt and used by governments and companies worldwide. It holds records of billions of leaked accounts from hundreds of known breaches.

To check: go to haveibeenpwned.com, type in your email address, and press pwned?. The site will tell you whether that address appears in any known breach, and if so, which ones.

What the Results Mean

No breaches found

Good news — your email address doesn't appear in any breach the site knows about. That doesn't mean you're guaranteed safe, but it's a positive sign. Check back periodically or sign up for free notifications when new breaches are added.

Breaches found

Don't panic. Most breaches happened at companies you used at some point, and just because your email was in a breach doesn't mean your accounts are currently compromised — especially if you've changed your passwords since. The listing will tell you what type of data was exposed (email only, password, phone number, etc.).

What to Do If You're Listed in a Breach

  1. Change the password for the breached service immediately.
  2. If you used the same password anywhere else, change it there too — this is why unique passwords matter.
  3. Enable two-factor authentication on the affected account. See our 2FA guide.
  4. Watch for phishing emails targeting you using information from the breach.

Check Your Passwords Too

HaveIBeenPwned also lets you check individual passwords (without telling them your actual email). You can check whether a specific password appears in any known breach — useful for testing passwords you've used in the past. The check is done securely using a technique called k-anonymity, meaning your full password is never sent to the site.

Only check using the official site at haveibeenpwned.com. Be wary of lookalike sites with similar names that may be collecting email addresses.

If you want help working through what to do after finding a breach, ask us.