Have I Been Pwned: How to Check If Your Email Was in a Data Breach

What Is 'Have I Been Pwned'?

**Have I Been Pwned** (HIBP), available at haveibeenpwned.com, is a free service created by security researcher Troy Hunt that allows anyone to check whether their email address or password has been exposed in a public data breach.

HIBP aggregates data from hundreds of publicly disclosed data breaches — including massive incidents at LinkedIn (2012, 500M), Adobe (2013, 153M), Yahoo (2013-2016, 3B), and many others. The database currently contains over 12 billion compromised accounts.

If your email appears in the database, it means your credentials from that specific service were stolen and made public by hackers.

How to Check Your Email on Have I Been Pwned

Checking your email on HIBP takes less than 30 seconds:

1. Go to **haveibeenpwned.com** 2. Enter your email address in the search box 3. Click **pwned?** 4. Results appear immediately

**If you see green 'Good news'**: No pwnage found. Your email wasn't in any known breach in HIBP's database.

**If you see red 'Oh no — pwned!'**: Your email was found in one or more breaches. Scroll down to see exactly which breaches, what data was exposed (password, username, IP, credit card, etc.), and when it happened.

HIBP is completely safe to use — the service was built specifically to protect users, not to harvest email addresses.

What to Do If You've Been Pwned

If your email appears in a breach, take these steps immediately:

**Step 1**: Change your password on the compromised service (and any other site where you used the same password).

**Step 2**: Enable **two-factor authentication (2FA)** on all important accounts — email, banking, social media, work accounts.

**Step 3**: Check whether the breach included your password. If so, search for that password on HIBP's password checker (passwords.haveibeenpwned.com) to see how many times it's appeared in breaches.

**Step 4**: Monitor your accounts for unusual activity — unfamiliar login locations, emails you didn't send, account changes you didn't make.

**Step 5**: Consider a **credit freeze** if financial data (credit card, SSN) was included in the breach.

**Step 6**: Sign up for HIBP's breach notifications to get alerts if your email appears in future breaches.

Setting Up Breach Notifications

HIBP offers a free **notification service** that emails you whenever your address appears in a new breach. To set it up:

1. Click **Notify me** on haveibeenpwned.com 2. Enter your email address 3. Click the verification link sent to your inbox 4. You'll automatically receive alerts for future breaches

HIBP's notifications are one of the fastest ways to know when your credentials are compromised — often before the affected company publicly discloses the breach.

For organizations, HIBP also offers a **domain monitoring** feature that checks all email addresses at your company domain against breach data. This is invaluable for IT security teams.

Beyond HIBP: Other Breach Check Tools

While HIBP is the gold standard, other tools offer additional breach checking:

**Firefox Monitor** (monitor.firefox.com): Mozilla's breach checking service powered by HIBP data, with a cleaner interface and built-in notifications.

**Google One Dark Web Report**: Available to Google One subscribers, scans dark web sources beyond public breaches.

**Avast Hack Check**: Free service checking email against known breaches, similar to HIBP.

**DeHashed**: More comprehensive (paid) service with detailed breach data for security researchers and IT professionals.

For most users, HIBP plus Firefox Monitor provides excellent coverage at no cost.