Have I Been Pwned? How to Check If Your Password Was Leaked

๐Ÿ“… June 2026 ยท ๐Ÿ“– 5 min read

In 2025 alone, over 1.5 billion credentials were exposed in data breaches. The question isn't whether your data has been in a breach โ€” it's which breaches your data has appeared in and what you should do about it.

What Is "Have I Been Pwned"?

Have I Been Pwned (HIBP), created by security researcher Troy Hunt, is a free service that aggregates data from public data breaches. It lets you search for your email address or phone number to see which breaches it appears in. As of June 2026, HIBP indexes over 14 billion compromised accounts across hundreds of breaches.

How to Check Your Email

  1. Visit https://haveibeenpwned.com
  2. Enter your email address and click "pwned?"
  3. Review the results โ€” the site shows which breaches your email appears in, what data was compromised (passwords, names, addresses, etc.), and when the breach occurred
  4. If you appear in any breach, change that password immediately on the affected service and anywhere else you've used that same password

How to Check Your Passwords

HIBP also offers a Pwned Passwords service that lets you check if a specific password has been exposed in a breach โ€” without sending the actual password over the network. It uses k-anonymity: you send only the first 5 characters of the password's SHA-1 hash, and the API returns matching hash suffixes.

Other Breach-Checking Tools

What to Do If You've Been Pwned

  1. Change the affected password immediately on the breached service
  2. Change any other accounts that use the same password (credential stuffing is the most common follow-up attack)
  3. Enable 2FA on the affected account and all other important accounts
  4. Use a password manager to generate unique, strong passwords for every account going forward
  5. Monitor your accounts for suspicious activity in the weeks following a breach

Protect every account with a unique, strong password. Generate one now.