Published: March 2026 | Author: Security Team | Reading Time: 12 minutes
In 2025 alone, over 4.5 billion records were exposed in confirmed data breaches. That's more than half the world's population. The uncomfortable truth is that some of your personal data — email addresses, passwords, phone numbers, maybe even credit card information — has almost certainly appeared in a breach you never heard about.
The question isn't whether you've been breached. It's which breach exposed your data, and what you do about it.
HaveIBeenPwned (HIBP) is the definitive resource for checking whether your information has been caught in a data breach. Created and maintained by security researcher Troy Hunt, it's used by millions of people and contains records from over 600 confirmed data breaches. Here's how to use it effectively.
HaveIBeenPwned aggregates data from public breach disclosures, security researcher disclosures, and submissions from companies that have been breached. It allows anyone to search by email address, phone number, or password to see if their data appears in any known breach.
The site doesn't just say "you were breached" — it shows you:
Most importantly, HIBP is read-only for most users — you're not creating an account or handing over more data to check your existing data.
Step 1: Go to haveibeenpwned.com
Step 2: Enter your email address in the search box
Step 3: Complete the CAPTCHA to prove you're human
Step 4: Review your results
The email check reveals breaches where your email address appeared. This matters because:
Each breach on HIBP is tagged with a "class" that indicates what happened:
| Breach Class | What It Means | Your Risk |
|---|---|---|
| Data columns | Structured data was stolen (emails, passwords) | High if passwords included |
| SQL injection | Website vulnerability exploited to steal data | Medium-High |
| Unprotected Paste | Someone posted a file with user data publicly | High — data is public |
| Exploit导致的 | Software vulnerability used to gain access | Medium |
| Shipping capture | Payment info skimmed during checkout | Critical — financial data |
New in 2024: HIBP now supports checking by phone number for users in the US, UK, Canada, and Australia. This uses the phone's carrier lookup to match against the Have I Been Pwned database.
Phone number checking works similarly to email — you enter your number in international format (+1XXXXXXXXXX for US), and HIBP shows breaches where that phone number appeared. This is useful because many breaches in recent years have exposed phone numbers alongside other personal data.
Critical Security Step: Checking if your passwords have been exposed is arguably more important than checking your email. A password in a breach database means attackers can log into the associated account RIGHT NOW, regardless of when the breach occurred.
HIBP's Password Search lets you check if a specific password has appeared in any known breach. This is safe to do because:
Important: Never enter a password into a website you don't trust. HaveIBeenPwned is legitimate and widely respected in the security community — but in general, never type your actual passwords into random sites. For HIBP specifically, you can also use the curl command to check passwords without even using the web interface:
curl -H "Add-Padding: true" https://api.pwnedpasswords.com/range/YOUR5CHARSThis returns all hash suffixes matching your prefix, with padding to prevent timing attacks.
HIBP offers free email notifications through the "Notify me" feature. Instead of manually checking periodically, you get an email when your address appears in a new confirmed breach.
Setting up breach notifications:
You should set this up for every email address you use for important accounts. Yes, even that old Hotmail address from 2003.
Finding your data in a breach doesn't mean you're doomed. It means you need to take specific actions depending on what was exposed.
Risk: Phishing attacks, spam, credential stuffing
Risk: Account takeover if you reused that password anywhere
If your password appears in HIBP's breach database, you MUST change it immediately on every account where you used it. This is non-negotiable. A password in a breach database is a password that attackers have access to.
Risk: Identity theft, social engineering, account recovery fraud
Risk: Fraudulent charges, cloned cards
Some breaches are so large or so commonly used that they're worth checking specifically:
| Breach | Year | Records | What Was Exposed |
|---|---|---|---|
| 2021 | 700M | Emails, phone numbers, professional info | |
| 2019 | 533M | Phone numbers, Facebook IDs, locations | |
| 2022 | 200M+ | Email addresses, usernames | |
| Adobe | 2013 | 153M | Encrypted passwords, payment info |
| MyFitnessPal | 2018 | 150M | Usernames, emails, passwords (hashed) |
| Canva | 2019 | 137M | Names, usernames, emails, passwords |
If you've never checked HIBP before, the odds of finding multiple matches for your email are very high. Don't be alarmed — use it as motivation to improve your security practices.
1. Check your entire digital footprint
Search your email addresses, old email addresses, phone numbers, and even significant other's or family members' emails if they're in your care. Children are increasingly targets for identity theft because their clean credit profiles are valuable.
2. Use the Firefox Monitor integration
Firefox Monitor (monitor.firefox.com) is powered by HIBP and offers the same breach checking. If you use Firefox, you get automatic breach alerts baked into the browser. Mozilla has an excellent track record of protecting user privacy.
3. Integrate HIBP with your password manager
1Password, Bitwarden, and LastPass all offer optional HIBP integration that checks your saved passwords against breach databases. When you log into a site with a password that's appeared in a breach, you'll get a warning. Enable this feature — it's free.
The security mindset: Operating on the assumption that some of your data has already been breached puts you in the right frame of mind for security. Instead of "I hope I haven't been breached," think "I assume some of my info is out there — what protections can I put in place?"
Zero prevention is impossible. Your data has almost certainly touched at least one poorly secured database somewhere. The question isn't whether to react to that fact — it's whether you've put the defenses in place to make breached data useless to attackers.
Strong unique passwords for every account (via a password manager) eliminate the most common attack vector. 2FA on critical accounts means even a compromised password isn't enough. Credit freezes prevent financial identity theft. Monitoring services catch misuse early.
The best time to find out you've been breached was years ago. The second best time is right now, before attackers use your compromised data against you.
HaveIBeenPwned won't protect you from breaches — nothing can do that completely. But it gives you the visibility to know when you've been exposed and the knowledge to respond appropriately. Check it regularly, set up notifications, and use what you learn to improve your security practices going forward.
Your data is likely out there somewhere. Whether that becomes a problem depends on what you've done to prepare.