Skip to content
What is Have I Been Pwned? How to Check if You're Breached

What is Have I Been Pwned? How to Check if You're Breached

4 min read

What Is Have I Been Pwned?

Have I Been Pwned (HIBP) is a free service created by security researcher Troy Hunt that lets you check whether your personal data has been exposed in known data breaches. Since its launch in 2013, it has become the definitive resource for breach notification, cataloging billions of breached records from thousands of data breaches.

The name comes from internet slang — “pwned” means compromised or owned, originating from gaming culture. If your email appears in the database, your account data has been exposed in at least one breach.

How Data Breaches Happen

Data breaches occur when attackers gain unauthorized access to a company’s database. Common attack vectors include:

  • SQL injection — Exploiting vulnerabilities in web applications to extract database contents.
  • Credential stuffing — Using leaked username and password pairs from one breach to access other services.
  • Phishing — Tricking employees into revealing login credentials.
  • Misconfigured databases — Databases accidentally exposed to the public internet without authentication.
  • Supply chain attacks — Compromising a third-party vendor to gain access to a larger target.

Major breaches have affected billions of accounts. LinkedIn, Adobe, MyFitnessPal, Canva, and countless other services have been breached, often exposing email addresses, passwords (sometimes in plaintext or weakly hashed), names, phone numbers, and other personal data.

What Gets Exposed in a Breach

The specific data varies by breach, but commonly includes:

  • Email addresses — Almost always included and used as the primary identifier.
  • Passwords — Sometimes hashed, sometimes in plaintext. Weak hashes (MD5, SHA-1 without salt) can be cracked quickly.
  • Names and usernames — Often included in the account record.
  • Phone numbers — Frequently stored for account recovery or two-factor authentication.
  • Physical addresses — Common in e-commerce and service breaches.
  • Financial data — Credit card numbers or bank details in severe cases.
  • IP addresses and device info — Can reveal location and browsing habits.

How to Check Your Email

Using Have I Been Pwned

  1. Visit haveibeenpwned.com
  2. Enter your email address in the search box
  3. Click “pwned?” to see results

The site will list every known breach that includes your email address, along with the date, the types of data exposed, and a brief description of the incident.

Subscribe to Notifications

HIBP offers a free notification service. Enter your email address on the notification page, verify it, and you will receive an automatic alert whenever your email appears in a newly added breach. This is one of the most valuable security measures you can take.

How to Check Your Passwords

Checking passwords requires extra care because you should never type your actual password into a third-party website. HIBP’s password check uses a clever privacy-preserving technique called k-anonymity:

  1. Your password is hashed locally using SHA-1
  2. Only the first 5 characters of the hash are sent to the API
  3. The API returns all known breached hashes that share those 5 characters
  4. Your device checks locally whether the full hash appears in the returned list

This means your actual password and even its full hash are never transmitted. The API cannot determine which hash you are checking.

The passforge Breach Checker implements this same k-anonymity approach directly in your browser. Enter a password, and it checks against the HIBP Pwned Passwords database without ever sending your password over the network.

What to Do If You Are Breached

Step 1: Change Affected Passwords Immediately

If a breached service used a password you also use elsewhere (and you should not be reusing passwords), change it on every site where it was used. Use the passforge Password Generator to create a unique, strong password for each account.

Step 2: Enable Two-Factor Authentication

Add 2FA to every breached account and all other important accounts (email, banking, social media). This ensures that even if an attacker has your password, they cannot access your account without the second factor.

Step 3: Monitor Financial Accounts

If financial data was exposed, monitor your bank and credit card statements for unauthorized transactions. Consider placing a credit freeze with the major credit bureaus (Equifax, Experian, TransUnion) to prevent new accounts from being opened in your name.

Step 4: Watch for Phishing

After a breach, attackers often send targeted phishing emails using the breached data to appear legitimate. Be extra cautious about emails claiming to be from the breached service, especially those asking you to “verify your account” or “reset your password” via a link.

Step 5: Use a Password Manager

If this breach revealed that you reuse passwords, now is the time to adopt a password manager. Generate unique passwords for every account so a single breach never cascades across your digital life.

Breach Statistics

The scale of data breaches is staggering. HIBP has cataloged over 700 breached sites and over 12 billion compromised accounts. Some notable breaches include:

  • Collection #1 — 773 million unique email addresses from aggregated breach data
  • LinkedIn (2012/2021) — 700+ million records scraped and sold
  • Adobe (2013) — 153 million records with poorly encrypted passwords
  • MyFitnessPal (2018) — 150 million accounts

These numbers underscore why unique passwords and breach monitoring are essential, not optional.

Check Your Security Now

Start by checking your email on Have I Been Pwned, then use the passforge Breach Checker to verify that your current passwords have not appeared in any known breaches. Follow up with the Password Strength Checker to ensure your passwords meet modern security standards.