How to Check If You've Been in a Data Breach

Beginner Time: 5 minutes Category: Data Privacy

Data breaches happen every day, and most people have been affected by at least one without knowing it. Checking whether your information has been exposed takes less than five minutes and tells you exactly which accounts need immediate attention.

Why This Matters

As of 2024, the Have I Been Pwned database contains over 13 billion breached accounts. The average email address appears in at least 2-3 breaches. When your credentials appear in a breach, attackers add them to massive databases used for credential stuffing attacks. If you reuse passwords, a breach on a low-value site like a forum can give attackers access to your bank account. Research from Google and Stanford found that 1.5% of all logins on the web use credentials that have already been exposed in a breach.

Step-by-Step Instructions

  1. Go to https://haveibeenpwned.com/ and enter your primary email address. The site will instantly show you a list of known breaches your email appeared in, along with what data was exposed (passwords, phone numbers, addresses, etc.).
  2. Check any other email addresses you use or have used in the past. Include old email addresses, work emails, and email aliases.
  3. Review each breach in the results. Pay special attention to breaches that include passwords, especially if you were reusing that password on other sites.
  4. For any breach that included your password, immediately change the password on that site and on every other site where you used the same password. Use your password manager to generate unique replacements.
  5. Sign up for free breach notifications at Have I Been Pwned by clicking "Notify me" and entering your email. You will receive an alert any time your email appears in a new breach.
  6. Check https://haveibeenpwned.com/Passwords to see if any of your current passwords have appeared in known breaches. This checks the password hash without transmitting your actual password.

Common Mistakes to Avoid

  • Only checking one email address: Most people have multiple emails. Check all of them, including old addresses you may have forgotten about.
  • Seeing a breach and doing nothing: Knowing about a breach is useless if you do not act. Change compromised passwords immediately.
  • Assuming old breaches do not matter: Breached data remains in circulation permanently. If you still use the same password from a 2015 breach, you are still at risk today.

Additional Tips

  • Many password managers (1Password, Bitwarden) have built-in breach monitoring that will automatically flag compromised passwords in your vault.
  • Google Chrome's built-in Password Checkup and Firefox Monitor also offer breach checking, though Have I Been Pwned is the most comprehensive source.
  • After addressing compromised accounts, use this as motivation to enable 2FA on every account that supports it.

Last updated: February 10, 2026