Almost every adult with an email address has had their information exposed in a data breach by now. The question isn't "has it happened?", it's "which accounts and how bad?". Here's how to find out in two minutes, what to do about what you find, and how to get alerted next time.
The Canonical Tool: Have I Been Pwned
haveibeenpwned.com is the canonical breach-check website. It's free, run by Australian security researcher Troy Hunt, and trusted by Microsoft, Mozilla, and almost every password manager in the world. The site keeps a searchable index of every known data breach.
You type in your email address, and it tells you:
- Which breaches your email has appeared in.
- What information was exposed (password, phone number, security questions, etc.).
- When the breach happened.
It won't show you the actual stolen data. It just tells you whether you're in a breach.
Did you know?
As of 2026, Have I Been Pwned tracks over 13 billion breached accounts across 700+ known breaches. The LinkedIn, Adobe, MyFitnessPal, Canva, and Ticketmaster breaches alone account for hundreds of millions of records. If you've been online for a decade, assume you're in at least one.
How to Use It (Step by Step)
- Go to haveibeenpwned.com.
- Type in your email address and click "pwned?". (The site owner chose the name as a joke from early internet slang. It means "owned" or "compromised".)
- Read the results. If the page goes green ("Good news. No pwnage found."), you're clean on this email. If it goes red, scroll down to see the list of breaches.
- For each breach listed, note what was exposed. The usual categories are passwords, email addresses, names, phone numbers, and sometimes sensitive items like security questions or physical addresses.
- Check each email address you use. Work email, personal email, any old ones you still access.
Checking a Password
Have I Been Pwned also has a password checker at haveibeenpwned.com/Passwords. It uses a clever technique (called k-anonymity) that lets you check a password against known breaches without actually sending your password over the internet. Your password never leaves your browser.
If it comes back as "pwned", that password has shown up in a breach somewhere and is in every scammer's password-guessing dictionary. Change it, everywhere you use it, immediately.
What to Do With What You Find
For each breach that includes your email:
- If your password was exposed: Change it on that site, and anywhere else you reused it. This is why unique passwords per site matter.
- Turn on multi-factor authentication. Even if your password is exposed, MFA blocks the login.
- If security questions were exposed (mother's maiden name, first pet, etc.): Change the answers on any site that uses them. Use a password manager to store random fake answers.
- If your phone number was exposed: Expect SMS scams and spam calls for weeks. You may want to register with Canada's National Do Not Call List or the US Do Not Call Registry.
- If your physical address was exposed: Usually no immediate action, but be more alert to mail-based scams (fake bank statements, fake "prize you've won" letters).
Subscribe to Free Breach Alerts
On haveibeenpwned.com, click "Notify me" and enter your email. Verify with the confirmation link. From then on, whenever Troy adds a new breach that includes your address, you get an email.
This is one of the single most useful free things on the internet. It tells you when to change a password, usually within days of a breach becoming public.
Other Tools Worth Knowing
- Mozilla Monitor (formerly Firefox Monitor). Uses Have I Been Pwned's data but has a friendlier interface. Includes a paid plan that scans data-broker sites and requests removal of your info.
- Password manager built-ins. 1Password's Watchtower, Bitwarden's Vault Health Reports, and Apple Passwords' compromised-password alerts all check your stored passwords against breach data and flag the risky ones. If you use a password manager (and you should), turn these on.
- Identity Theft Resource Center (US-focused, but useful tools and a free support line).
What the Tool Can't Tell You
- Private breaches. If a company was breached but never disclosed, it won't be in the database. This is why unique passwords still matter, even if your email isn't currently in any listed breach.
- Scraped-not-breached data. Some "breaches" are just data scraped from public profiles (LinkedIn, Facebook). The info was technically public, but now it's packaged and for sale. Still worth knowing.
- Whether someone is actively using your data. The site just tells you your data was exposed. Whether a scammer is currently using it is a separate question.
Going Deeper
- Set up unique passwords and a password manager so one breach stops at one account: our free course Simple Strategies to Be Secure Online.
- Got a "we've been breached" email from a company and not sure what to do? See our data-breach playbook.
- Paste the breach notification into Dave for a personalized walk-through.