Data breaches happen constantly, and most people find out their credentials were exposed months or years after the fact — if they find out at all. Here’s how to check right now and what to do if your data is out there.
The best tool: Have I Been Pwned
Go to haveibeenpwned.com and enter your email address. The site, run by security researcher Troy Hunt, checks your email against a database of over 12 billion accounts exposed in known breaches. It tells you which breaches your email appeared in and what data was exposed — passwords, phone numbers, physical addresses, and so on.
It’s free, takes about five seconds, and doesn’t require creating an account. Check every email address you use — work, personal, any old addresses that might still be attached to accounts. Most people have at least one hit.
You can also check specific passwords at haveibeenpwned.com/Passwords without the site ever seeing your actual password — it uses a technique called k-anonymity where only part of a hashed version of the password is sent. If your password appears in a breach database, stop using it immediately.
Set up monitoring
Have I Been Pwned lets you sign up for breach notifications — you’ll get an email when your address appears in a new breach as soon as it’s added to the database. This costs nothing and is much better than finding out a year later.
Firefox Monitor (monitor.mozilla.org) offers the same notification service with a slightly different interface. Google’s Password Manager also flags passwords it detects in breach data if you’re using Chrome with saved passwords. Enable whichever fits your existing setup.
What a breach actually means for you
The severity depends on what was exposed. A breach that leaked only hashed passwords (where the actual password is scrambled) is less urgent than one that leaked plaintext passwords. A breach that included your physical address, date of birth, and social security number is more serious than one that just had your email and a username.
Have I Been Pwned lists what was exposed in each breach. Read it carefully. If passwords were included, change the password on that site immediately, and change it on any other site where you used the same password. If financial data was included, monitor your accounts and consider placing a fraud alert with the credit bureaus.
What to do if you find a hit
Change the password on the breached site. Even if the breach was years ago, if you’re still using that password anywhere, change it. Use a password manager to generate a new unique one.
Check for password reuse. If you used the same password on other sites, change those too. This is credential stuffing — attackers take leaked credentials and try them on every major site automatically. Your Netflix, Amazon, and bank account are all targets.
Enable 2FA on the affected account if it’s available. Password alone isn’t enough if your credentials are circulating in breach databases.
For serious breaches (SSN, financial data, government ID exposed): place a credit freeze at all three bureaus — Equifax, Experian, and TransUnion. This prevents anyone from opening new credit in your name. It’s free, takes about 15 minutes, and you can lift it temporarily when you legitimately need new credit.
Breaches you won’t find on Have I Been Pwned
Have I Been Pwned is comprehensive but not exhaustive. Some breaches never get publicly disclosed. Dark web monitoring services (offered by some identity theft protection companies, and increasingly by credit card companies as a free perk) scan for your data in places HIBP doesn’t reach. Experian’s free dark web scan is one option; Discover and Capital One offer this to cardholders at no charge.
The bottom line
Check haveibeenpwned.com with every email address you use. Sign up for breach notifications. If you find a hit, change the affected password and any sites where you reused it. For serious exposures, freeze your credit. Five minutes of checking now saves a significant amount of cleanup later.