Check Whether Your Email Was in a Data Breach
Billions of email addresses and passwords have been exposed in data breaches. Here's how to check for free if yours was included — and exactly what to do if it was.
On this page
Every year, companies large and small experience data breaches where usernames, email addresses, and sometimes passwords are stolen. You may have been affected without ever knowing. Checking is free and takes about a minute.
The Free Tool: Have I Been Pwned
HaveIBeenPwned.com is a free, reputable service run by security researcher Troy Hunt and used by governments and companies worldwide. It holds records of billions of leaked accounts from hundreds of known breaches.
To check: go to haveibeenpwned.com, type in your email address, and press pwned?. The site will tell you whether that address appears in any known breach, and if so, which ones.
What the Results Mean
No breaches found
Good news — your email address doesn't appear in any breach the site knows about. That doesn't mean you're guaranteed safe, but it's a positive sign. Check back periodically or sign up for free notifications when new breaches are added.
Breaches found
Don't panic. Most breaches happened at companies you used at some point, and just because your email was in a breach doesn't mean your accounts are currently compromised — especially if you've changed your passwords since. The listing will tell you what type of data was exposed (email only, password, phone number, etc.).
What to Do If You're Listed in a Breach
- Change the password for the breached service immediately.
- If you used the same password anywhere else, change it there too — this is why unique passwords matter.
- Enable two-factor authentication on the affected account. See our 2FA guide.
- Watch for phishing emails targeting you using information from the breach.
Check Your Passwords Too
HaveIBeenPwned also lets you check individual passwords (without telling them your actual email). You can check whether a specific password appears in any known breach — useful for testing passwords you've used in the past. The check is done securely using a technique called k-anonymity, meaning your full password is never sent to the site.
If you want help working through what to do after finding a breach, ask us.
Frequently asked questions
Is it safe to type my email address into Have I Been Pwned?
Yes. HaveIBeenPwned is a trusted, widely used security tool. Your email address is transmitted securely. The site does not store your query or sell your data. It's endorsed by the Australian government, the UK's National Cyber Security Centre, and many others. The only thing you learn from entering your email is whether it appears in known breaches.
My email was in a breach from 5 years ago. Do I need to worry?
It depends on whether you've changed your password since the breach. If you have, and you weren't using the same password on other sites, the old breach is unlikely to cause you problems now. If you're still using the same password, or used it elsewhere, change it now. It's also worth enabling 2FA on that account regardless.
Comments & Questions (0)
No comments yet — be the first to ask. Comments appear after review.
Leave a comment
Your comment appears after our team approves it. Or sign in to post faster.