Has My Email Been Hacked? How to Check and What to Do

Introduction

Have I Been Pwned, the world's most trusted breach database, recently processed nearly 2 billion unique email addresses — about 1,957,476,021 to be exact — along with 1.3 billion unique passwords, sourced from credential stuffing lists circulating among cybercriminals. That is one dataset from one collection. The total picture is much larger.

The service's database now aggregates data from publicly disclosed breaches and contains over 17 billion compromised account records.

The question is not really “has my email been in a breach?” — it almost certainly has. The question is which breaches, what data was exposed, and what you should do about it right now.

This guide walks you through every available tool for checking, explains what the results actually mean, and gives you a clear action plan regardless of what you find.

1. Step 1: Check Have I Been Pwned (Start Here)

haveibeenpwned.com is the gold standard for breach checking. It was built by independent security researcher Troy Hunt in 2013 and has remained the most trusted public service in this space. It is free, requires no account, and is widely used by governments, law enforcement, and security teams worldwide.

How to use it

1. Go to haveibeenpwned.com
2. Type your email address into the search bar
3. Click the “pwned?” button
4. Read the result

That is it. No account needed. No password required — and never enter your password into any breach-checking service.

What the results mean

Green: “Good news — no pwnage found”

Your email address was not found in any breach currently indexed by HIBP. This is good news, but not a guarantee of safety for two reasons: HIBP covers known, publicly disclosed breaches, but not every breach becomes public immediately; and some credentials circulate in private criminal networks before they surface publicly. Still, a clean result means you are in better shape than most.

Red: “Oh no — pwned!”

Your email address appeared in one or more breach databases. HIBP will show you a list of the specific breaches, what data was included (email, password, name, phone, address, etc.), and when each breach occurred.

Do not panic. Being listed does not mean your accounts have been actively compromised. It means your data was exposed in a breach at that service, and criminals have access to it. Whether they have used it depends on what data was exposed and whether you have taken protective steps since.

Check your passwords too

HIBP also offers a separate Pwned Passwords tool at haveibeenpwned.com/Passwords. You can check whether a specific password has appeared in breach databases. It uses a clever privacy-preserving technique — your actual password is never sent to HIBP's servers; only a partial hash is transmitted, so the check is safe.

If a password you currently use appears in Pwned Passwords, change it immediately everywhere you have used it.

Set up free email alerts

Once you have checked, set up monitoring so you are notified automatically when your email appears in future breaches:

1. On the results page, click “Notify me when I get pwned”
2. Enter your email address
3. Confirm via the verification email HIBP sends you

HIBP has 971 breached sites currently listed, and new breaches are added regularly. The alert service is free and sends a notification each time your address appears in a newly indexed breach. This is one of the most useful passive security measures you can set up in two minutes.

2. Step 2: Check Google Password Manager

If you use Chrome or a Google account and have passwords saved, Google's Password Checkup scans them against known breach databases automatically.

What Google still offers:

Password Checkup — scans your saved Chrome passwords against breach databases and flags credentials that are compromised, reused, or weak. To access it:

1. Go to passwords.google.com
2. Click “Check passwords” or look for the “Password Checkup” section
3. Review any flagged passwords and follow the prompts to change them

Security Checkup — reviews your Google account's overall security posture:

1. Go to myaccount.google.com/security-checkup
2. Look for flagged items in the security status panel
3. Address anything marked with a warning

Password Checkup is most useful if Chrome is your primary browser and you have been saving passwords there. If you use a dedicated password manager (Bitwarden, 1Password, etc.), those tools have their own breach monitoring built in — use those instead.

3. Step 3: Check with Your Password Manager

If you use a dedicated password manager, it likely includes breach monitoring that goes beyond what HIBP offers for standalone email checks:

• Bitwarden: Data Breach Reports (Tools → Reports). Checks stored credentials against HIBP's database and flags compromised items.
• 1Password: Watchtower checks passwords against breach databases, identifies reused passwords, flags weak passwords, and highlights accounts that support two-factor authentication but don't have it enabled.
• NordPass: Data Breach Scanner checks emails associated with your accounts against known breaches.
• Proton Pass: Dark Web Monitoring alerts you when your email or passwords appear in known breaches (paid plans); also runs the independent Data Breach Observatory that scans for leaked data as it surfaces.

If you are using any of these managers, check their breach monitoring section now — it gives you a comprehensive view across all your stored accounts rather than checking one email at a time. See our Best Password Managers 2026 guide for choosing a manager.

4. Step 4: Other Tools Worth Checking

Firefox Monitor (monitor.firefox.com)

Mozilla's Firefox Monitor uses the same HIBP database but presents results in a browser-integrated interface. If you use Firefox, this is a convenient alternative. Free with a Mozilla account, and it supports monitoring multiple email addresses simultaneously.

Substack, LinkedIn, Shopify — check your specific services

Some major services now notify users directly when their account was part of a breach. Check your email for past notifications from services you use. Many companies send breach notification emails immediately, but others are slower or less transparent.

If you want to verify whether a specific service was breached, the HIBP “Who's Been Pwned” list at haveibeenpwned.com/PwnedWebsites is the most comprehensive public reference.

Under Armour, Panera, PayPal — major breaches in 2025–2026

Several major consumer breaches have occurred recently that are worth checking specifically: Under Armour saw claims that customer data from 72 million accounts was posted to a hacker forum after a November 2025 intrusion — Have I Been Pwned obtained the dataset and notified 72 million users. Panera Bread confirmed a breach where ShinyHunters claimed theft and leaked data, with HIBP analysis indicating approximately 5.1 million unique accounts were exposed. PayPal confirmed a breach tied to its Working Capital loan application, with access running from July 2025 through December 2025, and breach notification letters going out in February 2026.

If you have accounts with any of these services, check your HIBP results and your email for official breach notifications.

5. What Your Results Actually Mean

“My email was in a breach from 5 years ago”

Data from old breaches does not expire. Stolen personal information can circulate for years — criminals copy, sell, and reuse it. A breach alert points to a leak at one moment in time, but does not reveal whether that information has since been sold to third parties or used in subsequent fraud attempts.

If a password you used five years ago is still in use anywhere, change it now. If you changed it after the breach and have been using a unique password since, the old exposure is much less urgent.

“My email appears in a database dump, not a named breach”

HIBP also indexes compilation lists — massive collections of credentials assembled from multiple breach sources and distributed on criminal forums. Being in a compilation dump means your credentials were circulating widely at some point. Same action applies: check which passwords were involved and change any that are still in use.

“I see a breach from a site I don't remember using”

This is common. You may have signed up years ago, or the service may have changed names. It may also be that your email address was scraped rather than resulting from an account you created. Check what data was exposed — if it includes a password, treat it as a real exposure.

“I got a clean result but I still feel like something is wrong”

HIBP is comprehensive but not exhaustive. Some breaches remain private for months before becoming public, and some never enter the public indexing pipeline at all. If you are seeing suspicious activity on an account — login alerts you didn't trigger, password reset emails you didn't request, unfamiliar devices in your account settings — treat that as a breach signal regardless of what HIBP shows.

6. What to Do If You've Been Breached

The appropriate response depends on what data was exposed. Here is how to think about it:

Passwords were exposed

This is the most urgent scenario.

1. Change the password on the breached service immediately — log in now and update it to something unique and strong
2. Change the same password everywhere else you used it — this is the critical step most people skip. If you reused that password on your email, your bank, or anywhere sensitive, change all of them now
3. Use a password manager going forward — so every account gets a unique, random password that you never have to remember
4. Enable MFA on the affected account — see the next section

Email address was exposed (without password)

Your email can now be used for targeted phishing. Attackers know you have an account at that service and may craft convincing messages pretending to be from them.

1. Be extra cautious of any emails from or referencing that service
2. Go directly to the service's website rather than clicking links in emails
3. Verify your account's email and recovery information is correct and current

Name, address, or phone number were exposed

This data is used for targeted social engineering — phone scams, phishing, physical mail fraud. The information itself cannot be “changed” the way a password can, but awareness helps: be skeptical of unsolicited contacts referencing your personal details.

Payment card data or SSN were exposed

These require additional steps beyond account security:

• Cards: Contact your bank immediately and request a card replacement. Review recent transactions for unauthorized charges.
• SSN (US): Place a free credit freeze with all three major bureaus — Equifax, Experian, and TransUnion. A credit freeze prevents new credit from being opened in your name without your explicit authorization. It is free, does not affect your existing credit, and can be temporarily lifted when you legitimately apply for credit.
• Monitor your credit reports at annualcreditreport.com — you are entitled to free reports from all three bureaus.

For a full incident checklist, follow our Data Breach Response Guide.

7. Enable Two-Factor Authentication

For any account where breach data was exposed — and especially for your email, banking, and any account you care about — enable two-factor authentication (MFA) immediately.

MFA means that even if an attacker has your correct password, they cannot log in without a second verification step that only you control.

Priority order for MFA methods (most to least secure):

1. Hardware security key (YubiKey) — physical key required to log in; immune to phishing
2. Authenticator app (Google Authenticator, Authy, 1Password built-in) — time-based codes that rotate every 30 seconds; better than SMS
3. SMS/text message — better than nothing, but vulnerable to SIM-swapping attacks; upgrade when possible

Enable MFA on your email account first — it is the master key to everything else, because most password resets flow through email. Step-by-step: Complete 2FA Setup Guide; passkeys where supported: Passkeys Ultimate Guide.

8. Set Up Ongoing Monitoring

Checking once is not enough. Data breaches happen continuously. Here is how to stay informed without actively doing anything:

Free options:

• HIBP email alerts — free, set up once at haveibeenpwned.com, notifies you of future breaches automatically
• Firefox Monitor — free with Mozilla account, monitors multiple addresses

Built into tools you may already use:

• Bitwarden, 1Password, NordPass, and Proton Pass all include breach monitoring in their respective apps
• Apple's iCloud Keychain flags compromised saved passwords in iOS/macOS settings

9. Quick Checklist

Use this to work through your breach response systematically:

Check your exposure:

• ☐ Checked all email addresses at haveibeenpwned.com
• ☐ Reviewed which breaches appeared and what data was exposed
• ☐ Checked Pwned Passwords for any passwords currently in use
• ☐ Ran Password Checkup in Google/Chrome (if applicable)
• ☐ Ran breach monitoring in your password manager (if applicable)

Act on the results:

• ☐ Changed passwords exposed in breaches
• ☐ Changed same passwords anywhere else they were reused
• ☐ Changed weak or reused passwords flagged by the scanner
• ☐ Enabled MFA on the affected service(s)
• ☐ Enabled MFA on your primary email account (if not already done)
• ☐ Placed credit freeze if financial data or SSN was exposed

Set up ongoing protection:

• ☐ Subscribed to HIBP email alerts for all your email addresses
• ☐ Started using a password manager (or audited the one you have)
• ☐ Set up unique passwords for high-priority accounts going forward

10. The Bigger Picture

Checking whether your email has been in a breach is the right starting point — but what you do after the check matters more than the check itself.

The most important long-term shift is moving from reused passwords to unique ones. A breach at a minor service only becomes a serious problem when that password opens a door somewhere else. If every account has its own password, a breach at one service affects only that service. That is the logic behind password managers, and it is why security professionals recommend them universally.

Troy Hunt's practical conclusion after processing two billion email addresses: “I suggest putting the energy into getting a password manager, making passwords strong and unique — or even better, using passkeys where available — and turning on multi-factor auth.”

That is still the right advice in 2026. The tools to do all of it are free or close to it. The time investment is an afternoon. The protection is permanent.

Related guides: Data Breach Response Guide · Best Password Managers 2026 · Complete 2FA Setup Guide · Password Security Best Practices

❓ Frequently Asked Questions