Your email is probably already leaked — here's how to check
25 Jun 2026 · 3 min read · Comments
This article contains affiliate links. If you buy through them, we may earn a commission — at no extra cost to you.
Not "might be." Probably is. Data breaches are so common, and have been for so long, that most email addresses used for more than a few years appear in at least one. Here's the free tool that tells you in thirty seconds.
Every year, hundreds of companies leak user data. Sometimes it's a small forum from 2013 that nobody remembers signing up for. Sometimes it's a major retail chain, a healthcare provider, a social network. The data goes into circulation — sold, traded, uploaded to public repositories — and it stays there.
You signed up for something years ago with your main email and a password you reused elsewhere. That site was breached. Now that email-and-password combination is in a list that gets tried against Gmail, Amazon, banking apps. You may have no idea this is happening.
The check: Have I Been Pwned
Have I Been Pwned is a free database built by security researcher Troy Hunt. It indexes breach data — billions of records — and lets you search by email address to see which breaches it appears in, and what data was included.
What to do when you find a match
If your email appears in a breach that included passwords, assume those passwords are compromised — whether or not you remember using them. Change those passwords immediately on any account where you still use them, and on any account where you used a variation of them.
- Search your email at haveibeenpwned.com: it's free and instant
- If you appear in a breach with passwords, change that password everywhere it was used
- Enable breach monitoring — HIBP will email you when your address appears in new breaches
- Use a password manager going forward so each account has a unique password that limits future damage
The check takes thirty seconds. Most people who do it find at least one breach they weren't aware of. A few find a dozen. The number is less important than what you do next.
Frequently asked questions
What is credential stuffing?+
Credential stuffing is when attackers take email and password combinations exposed in one breach and automatically try them against other services. If you reuse passwords, a breach at one site gives attackers access to every account with the same credentials.
Is it safe to store all your passwords in one place?+
Yes, when using a reputable password manager. The encrypted vault is far more secure than reused or weak passwords. Password managers like NordPass use zero-knowledge architecture — meaning even the company cannot see your stored passwords.
What is two-factor authentication and should I use it?+
Two-factor authentication (2FA) requires a second verification step beyond your password — typically a code from an app. Use an authenticator app (Google Authenticator, Authy) rather than SMS codes, which are vulnerable to SIM-swap attacks.
