Cybersecurity · 2026

Have I Been Pwned: check if your data has leaked

Have I Been Pwned is the reference tool for finding out if your email, password, or phone number is in a publicly exposed data breach. Here's how to use it, what the results actually mean, and what to do within the hour if you discover you've been compromised.

By Heatcord, founder · 11 min read · Updated May 19, 2026
13B+ compromised accounts indexed by HIBP as of May 2026
800+ distinct data breaches added to the database since 2013
k-anonymity cryptographic technique used to check your passwords without ever transmitting them in cleartext

Contents

  1. Understanding data breaches
  2. How to use Have I Been Pwned
  3. Reading the results
  4. Checking a specific password
  5. What to do if you're pwned
  6. Preventing the next leak
  7. FAQ

An average data breach exposes between 1 and 100 million records within hours. Adobe in 2013, LinkedIn in 2012 (revealed in 2016), Yahoo in 2014 (revealed in 2016), Collection #1 in 2019, several million scraped Facebook IDs in 2021. With each episode, hundreds of millions of email addresses end up freely circulating on forums and the dark web.

The service Have I Been Pwned (HIBP, created in 2013 by security researcher Troy Hunt) aggregates these publicly verified breaches into a single searchable database. You type in your email, you immediately get the list of breaches your address appears in, with the exact nature of the exposed data (password, phone number, postal address, etc.).

This guide explains step by step how to use HIBP, how to read the results without panicking or minimising, and most importantly what concrete actions to take in the hours following a discovery of compromise.

Context
Understanding data breaches

A data breach happens when a database containing user information is extracted from a service by an attacker, then published or sold. Typical cause: a misconfigured server, a compromised admin account, or an unpatched software vulnerability.

Once the database is out, two paths are possible. The content is sold on a specialised forum to buyers who use it for credential stuffing (trying email/password pairs on other services). Or the content eventually gets posted publicly, and HIBP indexes it after verification.

Three types of data dominate in recent breaches:

Step by step
How to use Have I Been Pwned

The tool fits on a single page. The lookup is anonymous and requires no account.

01
Open the official site

Go to haveibeenpwned.com. Beware of imitations: only this domain is legitimate. Services that ask for payment for the same information should be avoided.

02
Enter an email address or phone number

Type the email address you want to check in the single field in the centre of the page. HIBP also accepts phone numbers in international format (with country code) since the integration of the 2021 Facebook breach.

03
Run the search

Click pwned?. The answer arrives in under a second. No cookie is set, no email address is logged by the service.

04
Read the listed breaches

If your address is compromised, the page shows the list of every breach where it appears. Each breach shows the affected service, the date of the breach, the date of integration into HIBP, and the exact list of exposed fields (email, password, name, etc.).

05
Enable Notify Me for the future

At the bottom of the page, the Notify Me option signs you up for automatic alerts. Whenever a new breach containing your address is added to HIBP, you receive an email. More effective than manual checking.

';--have i been pwned? Check if your email or phone is in a data breach heatcord@example.com pwned? Anonymous lookup · 13B+ accounts indexed
Main interface of Have I Been Pwned: one field, one button, no account needed.

Reading results
Interpreting what you see

HIBP signals two visual states without ambiguity. If your address isn't in the database, the page turns green with the message Good news, no pwnage found!. If it appears in at least one breach, the page turns red with Oh no, pwned!, followed by the detailed list.

Good news no pwnage found! The tested address doesn't appear in any breach indexed by HIBP. Stay vigilant. Oh no pwned! The address appears in one or more breaches. The list appears below.
The two response states: green for no match, red for at least one breach found.

Under a red result, each breach is listed as an independent card. The typical contents of a card:

Element What it tells you
Service name Which site was compromised (LinkedIn, Adobe, MyHeritage, etc.)
Breach date When the database was extracted by the attacker
Date added to HIBP When the breach became publicly verifiable
Affected accounts Total volume of the breach (e.g., 167 million for LinkedIn 2012)
Compromised data Exact list of exposed fields: email, password (hashed or plaintext), name, phone, etc.

An old breach is still serious

A 2014 breach isn't harmless in 2026. If you still use the same password as in 2014 (or an obvious variant), attackers can still leverage it in credential stuffing attacks. Breach date tells you its age, not its innocuousness.

Pwned Passwords
Checking a specific password

HIBP also offers a distinct tool, Pwned Passwords, that lets you test whether a specific password appears in the database of exposed hashes (over 850 million unique hashes). Useful before reusing a password or to audit an existing password vault.

The technical subtlety is that you never transmit your entire password to the server. HIBP uses a technique called k-anonymity: your browser calculates the local SHA-1 hash of the password, sends only the first 5 characters of the hash to the server, and receives back the list of matching hashes. The final comparison happens in your browser. HIBP's server never knows which password you tested.

Pwned Passwords · anonymous check Your password never leaves your browser ●●●●●●●●●●●● Oh no, pwned! seen 3,645,192 times The SHA-1 hash of your password was compared against 850M+ known hashes. Only 5 characters of the hash were sent to the server (k-anonymity).
Pwned Passwords returns the exact count of how many times that password has been seen in past breaches. Above 100, consider it burned.

Immediate action
What to do if you're pwned

Discovering your address is in a breach is unpleasant but not catastrophic. The sequence to follow is clear and fits in four acts.

Within the hour of the discovery

  1. Change the password on the affected service. Go directly to the site named in the breach, sign in, and change the password.
  2. Change the password everywhere you reused it. This is the most dangerous scenario. A password reused on 8 services turns into 8 simultaneous breaches.
  3. Enable 2FA (two-factor authentication). On the affected service first, then on all critical accounts: main email, bank, vendor portals.
  4. Check active sessions. Most major services (Gmail, Facebook, banks) let you see and disconnect ongoing sessions. Any unknown device should be disconnected.

In the days that follow

  1. Monitor bank statements for any unusual purchases, especially if the breach included financial information.
  2. Enable anti-phishing filtering on your inbox: exposed addresses are automatically added to target lists used in phishing campaigns.
  3. Contact the responsible service if you believe you've suffered harm (identity theft, fraud). In Europe, GDPR gives data subjects a right to information about the nature and scope of the breach.
  4. Consider reporting to the ICO (UK), CNIL (France), or your country's data protection authority if the breach has serious impact.

If the breach included your password in plaintext

Consider that password burned for life. Never reuse it. And look sceptically at passwords built by variation around it (my-pass-2024 → my-pass-2025). Attackers automate these variations in brute force attacks.

Prevention
Preventing the next leak

You can't stop a service you use from getting breached. You can reduce the impact of a future compromise with simple hygiene.

The six basic reflexes

  1. One unique password per service. When service X falls, service Y stays intact. The most powerful and least respected defence.
  2. A password manager. 1Password, Bitwarden, KeePassXC. The vault generates and stores complex passwords you don't have to remember. Without a manager, the "one password per service" reflex is impossible to maintain.
  3. 2FA on all critical accounts. Main email, bank, password manager, professional platform. Prefer authenticator apps (Aegis, 2FAS, Authy) over SMS, which is vulnerable to SIM swapping.
  4. Secondary emails for risky signups. Forums, betting sites, trial services. A "throwaway" email limits the spread of your main address.
  5. HIBP's Notify Me alert enabled on all your addresses. You'll know immediately when a new breach concerns you.
  6. Regular software updates. Most intrusions go through already-patched vulnerabilities that users haven't applied.

On the professional side

If you run an online business (training, coaching, course sales), your infrastructure's cybersecurity also protects your clients. Pick vendors that host your data in a protective jurisdiction, sign emails by default (SPF/DKIM/DMARC), and encrypt data at rest. That's the default approach at Heatcord for coaches running their webinars from Europe.

FAQ
Common questions

Is Have I Been Pwned reliable and safe?
Yes. The site is run by Troy Hunt, a recognised security researcher and Microsoft Regional Director. HIBP does not store the emails you check: the lookup is anonymous server-side. For passwords, HIBP uses k-anonymity (sending only the first 5 characters of the SHA-1 hash) which prevents the service from learning your actual password.
What does "pwned" mean exactly?
Pwned is gamer slang for owned. Being pwned means one of your personal pieces of information appears in a publicly exposed database following a breach. It can be your email, password, phone number, date of birth, or any other field that was in the breached database.
What data does HIBP index?
HIBP indexes mainly emails, usernames, phone numbers, and certain password hashes from verified public breaches. It does not contain your passwords in plaintext (except when the original breach did, in which case only the hash is kept for the Pwned Passwords feature).
What should I do immediately if I'm pwned?
Three actions within the hour: change the password on the affected service and on any other service that shares the same password, enable two-factor authentication (2FA), inspect your active sessions and disconnect any that look suspicious. Then in the following days: monitor your bank statements and report any phishing received on that email.
How often should I check?
Sign up to HIBP's Notify Me service. You'll receive an automatic email whenever a new breach affecting your address is added. That's more effective than manual checking. Still run an active check every six months on your main and secondary addresses.
Are my professional accounts protected differently?
HIBP offers a specific service for domains: Domain Search. By proving you control a domain (DNS TXT or MX), you receive the list of all @yourdomain.com addresses present in breaches. Essential for IT leaders and founders who want to oversee their team's exposure.

Conclusion

Have I Been Pwned doesn't fix any breach. It informs you that you're affected, which is already a lot. The real defence line is daily hygiene: one unique password per service, a manager to remember them, 2FA enabled on critical accounts, and Notify Me as passive monitoring. With these four reflexes, you turn every future breach into a personal non-event: your compromised password only opens one door, you change it, you move on.

Heatcord · your data in Europe

Webinars hosted in Europe, emails signed by default.

Heatcord encrypts your recordings at rest, signs your emails with SPF/DKIM/DMARC, and keeps your audience data on European servers. No third-party trackers, no ad brokers.

See Heatcord