Your Password May Already Be Stolen: Check for Data Breaches Right Now

When a website you use gets hacked, your email address and password can end up in criminal databases within hours — often without any warning from the service. The RockYou2021 compilation alone contained more than 8 billion unique passwords, many still being tested against active accounts today.

The good news is that three free tools can scan billions of known leaked records and show you exactly which accounts are at risk — in under five minutes. Checking is the first step; knowing what to do afterward makes the real difference.

Quick Answer

Go to HaveIBeenPwned.com and enter your email address. If any breaches appear, change that account’s password immediately using a unique, strong passphrase. Then enable two-factor authentication on that account and every other account that shared the same password.

How to Check Whether Your Passwords Were Leaked

Method 1: Have I Been Pwned

Have I Been Pwned (HIBP), built by security researcher Troy Hunt, is the gold standard for breach checking. It indexes over 12 billion compromised accounts from thousands of data breaches.

1. Go to haveibeenpwned.com.
2. Type your email address into the search bar and press pwned?
3. A green result means no known breaches. A red result lists every breach your address appeared in, including what data was exposed — passwords, phone numbers, or home addresses.
4. Click any breach name to read its description and the date it occurred.
5. Repeat for every email address you use regularly.

Checking a specific password: Click Passwords in the navigation and type the password directly. HIBP uses a k-anonymity model — only the first five characters of a hashed version are sent, so your real password never leaves your device.

Pro tip: Use HIBP’s free notification service — click Notify me on the homepage — to receive an automatic email alert the moment your address appears in a new breach.

Method 2: Google Password Checkup

If you save passwords in Chrome or your Google Account, the built-in Password Checkup scans all stored credentials against known breach data automatically.

1. Open Chrome and navigate to chrome://password-manager/passwords.
2. Click Check passwords at the top of the page.
3. Google flags any saved passwords that were exposed in a breach, are too weak, or are reused across multiple sites.
4. For each flagged password, click Change password to update it on that site directly.

Alternatively, visit myaccount.google.com/security-checkup and open the Password Manager section for the same results.

Troubleshooting tip: If the Check Passwords button is greyed out, confirm you are signed in to Chrome with your Google Account and that sync is enabled under Settings > You and Google > Sync.

Method 3: Mozilla Monitor

Mozilla Monitor (formerly Firefox Monitor) queries the same HIBP database but adds a personal dashboard that tracks your exposure history over time and sends email alerts for new breaches.

1. Visit monitor.mozilla.org.
2. Enter your email address and create a free account.
3. Mozilla displays all past breaches linked to that address and monitors for new ones automatically.

Comparing the Three Tools

Tool	Email breach check	Saved-password check	Ongoing alerts	Free
Have I Been Pwned	Yes	Yes (manual)	Email	Yes
Google Password Checkup	No	Yes (automatic)	Automatic	Yes
Mozilla Monitor	Yes	No	Email	Yes

What to Do When a Breach Shows Up

Finding your email in a breach list is not a reason to panic — it is a prompt to act quickly.

1. Change the compromised account’s password first. Use at least 12 characters and make it unique to that site.
2. Find every account using the same password. Attackers run automated tools that test leaked passwords across hundreds of sites simultaneously. Change every duplicate immediately.
3. Enable two-factor authentication (2FA). Even if an attacker has your correct password, 2FA stops them from completing the login. See our guide on how to set up two-factor authentication on your most important accounts.
4. Switch to a dedicated password manager. A password manager generates and stores a unique password for every site, eliminating reuse permanently. Bitwarden is free and takes about 10 minutes to configure.
5. Watch for targeted phishing emails. After a breach, criminals use the exposed data to craft convincing fake login requests. Treat any unexpected “verify your account” message with suspicion.

Common Mistakes to Avoid

• Checking only one email address. Most people accumulate two to four addresses over the years. An old address you rarely check can still unlock active accounts through password-reset links — search all of them. Fix: run HIBP on every address you’ve ever used.
• Changing only the breached account’s password. Every site sharing that password carries equal risk. Fix: search your password manager or memory for reused passwords and update each one.
• Dismissing old breaches. A leak from 2019 still matters if you haven’t changed that password — stolen credentials are resold and tested for years. Fix: treat any flagged breach as urgent regardless of its date.
• Assuming a clean result means you’re fully safe. Not every breach is reported or indexed quickly. Fix: combine breach checks with unique passwords, a password manager, and 2FA for layered protection.
• Entering passwords into unfamiliar “checker” websites. Unknown sites may be collecting the passwords you type to check. Fix: use only the three trusted tools listed above.

Frequently Asked Questions

Is it safe to enter my email on Have I Been Pwned?
Yes. HIBP is maintained by security researcher Troy Hunt and is trusted by governments and cybersecurity agencies worldwide. Only your email address is submitted — no password or payment details are ever required.

What if my email doesn’t show up in any breach?
It means your address isn’t in the current HIBP or Mozilla Monitor databases — not that it was never exposed. Enable breach notifications and keep using unique passwords as a precaution.

Can I check someone else’s email address?
You can enter any email in HIBP’s search, but results show only breach names and dates — not passwords or other personal data.

How often should I run a breach check?
Sign up for HIBP or Mozilla Monitor alerts so you’re notified automatically. If you prefer manual checks, every three to six months is a sensible habit.

Will changing my password remove my data from breach databases?
No. Once data is leaked it remains in those databases permanently. Changing your password simply means the exposed credential is no longer valid for logging in.

Do these tools work for business email addresses?
Yes. HIBP offers a free domain-wide search so IT teams can check every address on a company domain at once — visit haveibeenpwned.com/DomainSearch.

Conclusion

Running a data breach check takes less time than making a cup of coffee and can prevent account takeovers that take weeks to reverse. Check your addresses on Have I Been Pwned, run Google Password Checkup on your saved credentials, and sign up for breach notifications so you’re never caught off guard again. Start with your primary email — right now.

Last updated: June 22, 2026