Check If Your Email Was Breached: HaveIBeenPwned & What to Do Next

Why Your Email Was Probably Breached

On average, a major data breach occurs every day. In 2025 alone, billions of email addresses and passwords were exposed. The probability that your email address is in at least one breached database is extremely high.

When your email is breached, attackers gain:

• Your password (if the site stored it)
• Associated personal information
• A confirmed email address for spam and phishing

This guide shows you how to check if you’ve been breached and what to do if you have.

Step 1: Check HaveIBeenPwned.com

HaveIBeenPwned (HIBP) is the gold standard for breach checking. Founded by security researcher Troy Hunt, it maintains a database of over 12 billion breached accounts.

Check Your Email

1. Visit haveibeenpwned.com
2. Type your email address in the search box
3. Click Search

Understanding the Results

If No Results Found: Your email hasn’t been in a known breach that HIBP tracked. (Note: This doesn’t mean you’ve never been breached—it means HIBP doesn’t have data from that specific breach yet.)

If Results Found: You’ll see:

• Each breached site where your email appeared
• Date the breach occurred
• Data that was leaked (password, name, phone, address, etc.)

Example Result

ADOBE
Occurred: 2013-10-04
PASSWORDS
PAYMENT CARDS
EMAIL ADDRESSES

This means your email was in the 2013 Adobe breach that exposed passwords and payment cards.

Step 2: Check Passwordless Sites

Some services let you check for breaches without entering your email directly—useful if you’re cautious about entering info online.

Using Breach Database APIs

If you’re technical, you can use Firefox’s MonitorPlus or 1Password features:

Firefox Monitor:

1. Visit monitor.firefox.com
2. Enter your email
3. Firefox checks against HIBP’s database securely

1Password Watchtower:

1. If you use 1Password password manager
2. Open 1Password and go to Watchtower
3. It scans your vault for passwords in breaches
4. Shows results without uploading your vault

Step 3: Check Specific Services

Beyond HIBP, some services maintain their own breach databases.

OWASP Breach Database

1. Visit breachsearch.com
2. Enter your email
3. Search across multiple breach databases simultaneously
4. More comprehensive than HIBP alone

Have I Been Compromised

1. Visit haveibeencompromised.com
2. Enter email address
3. Checks for breaches in multiple sources
4. May find newer breaches not yet in HIBP

Step 4: Identify Compromised Passwords

Once you know you’ve been breached, identify which passwords were exposed.

If Your Password Was Leaked

The breach result will show PASSWORDS if the site stored passwords. This means attackers have:

• Your password for that site
• A password that might work on other sites (if you reused it)

Check If Your Password Was Hashed

Most reputable sites hash passwords (convert them to unreadable format). However:

• Old breaches (pre-2010) often stored plaintext passwords
• Unsecured sites may store passwords unencrypted
• Modern sites use bcrypt or Argon2 hashing

You can’t determine from HIBP whether your password was hashed. Assume all leaked passwords are compromised.

Step 5: Immediate Action Plan

If Passwords Were Exposed

Change your password immediately:

1. Go to the breached site
2. Click Forgot password or go to Settings > Change password
3. Enter a new, unique password (use a password manager to generate one)
4. Save the new password to your password manager
5. Enable two-factor authentication if available

Timing: Do this same day if possible.

Check for Password Reuse

Critical question: Did you reuse this password on other sites?

If yes:

1. Open your password manager (Bitwarden, 1Password, etc.)
2. Search for the exposed password
3. Change it on all sites where it was used
4. Generate unique passwords for all accounts

This is why password reuse is dangerous. One breach compromises multiple accounts.

Example Scenario

• You used MyPassword123 on both Netflix and Gmail
• Netflix gets breached in 2023
• Attackers now have MyPassword123 and your email
• They try your email + password on Gmail—it works
• They’re now in your email, which means they can reset all other accounts

This is called credential stuffing. It’s extremely common.

Step 6: Enable Two-Factor Authentication (2FA)

After changing your password, enable 2FA on important accounts.

For Email (Gmail, Outlook)

Gmail:

1. Go to myaccount.google.com
2. Click Security (left sidebar)
3. Select 2-Step Verification
4. Click Get Started
5. Choose Authenticator app (Google Authenticator, Authy, Microsoft Authenticator)
6. Scan the QR code with your phone
7. Enter the 6-digit code
8. Click Turn on 2-Step Verification

Outlook:

1. Go to account.microsoft.com
2. Click Security
3. Click Advanced security options
4. Select Additional security verification
5. Choose Authenticator app
6. Scan the QR code
7. Enter the 6-digit code

For Critical Accounts

After your email, enable 2FA on:

• Password manager (Bitwarden, 1Password, LastPass)
• Banking (online banking portal)
• Cloud storage (Google Drive, OneDrive, Dropbox)
• Social media (Facebook, Twitter, Instagram)
• Work (Office 365, Slack, GitHub)

2FA types (in order of security):

1. Authenticator app (Google Authenticator, Authy, Microsoft Authenticator) - Best
2. Hardware key (YubiKey, Titan Security Key) - Best for critical accounts
3. SMS codes - Acceptable but vulnerable to SIM swapping
4. Email codes - Acceptable but depends on email security
5. Backup codes - Keep offline

Step 7: Monitor for Suspicious Activity

After a breach, watch for signs that attackers are using your credentials.

Check Email Login Activity

Gmail:

1. Go to myaccount.google.com
2. Click Security
3. Scroll to Your devices
4. Click Manage all devices
5. Review login locations—do they match your usual locations?
6. Click Sign out all other sessions if suspicious

Outlook:

1. Go to account.microsoft.com
2. Click Security > Recent activity
3. Review logins—check locations and device types
4. Sign out suspicious sessions

Check for Account Takeover Attempts

Look for:

• Password reset emails you didn’t initiate
• Unusual account activity (emails sent from your account, new passwords set, etc.)
• Unexpected account access notifications
• New devices added to your account

Set Up Breach Monitoring

Some services alert you when your email appears in new breaches:

Firefox Monitor Alerts:

1. Visit monitor.firefox.com
2. Enter email
3. Check “Notify me if I’m in a new breach”
4. You’ll get email alerts for future breaches

HaveIBeenPwned Notifications:

1. Visit haveibeenpwned.com
2. Scroll to Notify me
3. Enter email
4. Check “I want to be notified of new breaches”
5. HIBP will email you if your address appears in future breaches

Step 8: Long-Term Prevention

Breaches are inevitable, but you can minimize damage:

Use Unique Passwords

Every account should have a unique password. Use a password manager to generate and store them:

1. Open your password manager (Bitwarden, 1Password, LastPass, Dashlane)
2. For each account, generate a new password (12+ characters, mixed case, numbers, symbols)
3. Save it in your manager
4. Update the account password

Why unique passwords matter:

• If one site is breached, only that account is compromised
• Attackers can’t use your password on other sites
• Each password is too complex to guess

Use Email Aliases

Create separate email addresses for different account types:

• Primary email: Your main accounts (email, password manager, banking)
• Secondary email: Social media, shopping, entertainment
• Temporary email: Throwaway sites, newsletters

Services for email aliases:

• SimpleLogin (simplelogin.io): Create unlimited email aliases
• ProtonMail (protonmail.com): Create subdomains
• Duck.com (from DuckDuckGo): Hide your real email

Monitor Breaches Continuously

1. Check HIBP monthly for new breaches
2. Enable notifications from Firefox Monitor or HIBP
3. Audit password reuse quarterly using your password manager’s security report
4. Review account access logs monthly on important accounts (email, banking)

Use a VPN and Privacy Tools

Reduce data collection across the web:

• VPN: Hide your IP address and browsing from ISP
• Privacy browser: Firefox with uBlock Origin
• DNS over HTTPS: Encrypt DNS queries

Special Cases

If Your SSN Was Breached

If the breach included Social Security numbers:

1. Place a credit freeze with Equifax, Experian, TransUnion (all three)
2. Monitor credit reports at annualcreditreport.com (free annual report from each bureau)
3. Consider credit monitoring services (often included free after breaches)
4. Report to FTC at reportidentitytheft.gov

If Your Payment Card Was Breached

1. Contact your bank immediately
2. Request a replacement card with a new number
3. Monitor statements for unauthorized charges
4. Set up fraud alerts with your credit card issuer

If Your Workplace Was Breached

1. Notify your company’s IT department if you haven’t heard from them
2. Follow company procedures for password reset
3. Update your password to something new
4. Enable 2FA on corporate accounts if available
5. Watch for phishing emails targeting employees of breached companies

Conclusion: Stay Vigilant

Data breaches are a fact of modern life. The steps in this guide don’t prevent breaches, but they minimize damage when your data is exposed.

Key Takeaways:

1. Check HaveIBeenPwned.com regularly
2. Use unique passwords for every account
3. Enable 2FA on critical accounts
4. Monitor your accounts for suspicious activity
5. Set up breach notifications

Your privacy requires constant vigilance, but these steps make you dramatically more secure than the average person.

Start today: Check your email on HaveIBeenPwned. If you’ve been breached, take action immediately. Your digital security depends on it.