How to Check If Your Email Was Part of a Data Breach

You heard about a data breach in the news, or you got a strange login alert, and now you want to know one thing: was your email address caught up in it? Maybe a password you have reused for years is floating around in a leaked database, and you want to find out before someone else does.

The good news is that checking takes minutes, and the best tools are free. Breaches expose combinations of email addresses, passwords, names, and phone numbers, which then get circulated or sold and fuel phishing, credential-stuffing, and account takeover. The goal here is simple: find out where your address is exposed, then rotate any password you reused.

Below are all the verified ways to check, ordered quickest and most universal first. Work down the list, and check every address you own (work, personal, and any aliases) separately, because one email can sit in multiple breaches under different services.

Search Your Email on Have I Been Pwned

This is the fastest check and works in any desktop browser, no account needed.

1. 1.Go to haveibeenpwned.com.
2. 2.Type the email address you want to check into the search box.
3. 3.Click the Check button.
4. 4.Read the result. A clean address shows "Good news, no pwnage found! This email address wasn't found in any of the data breaches loaded into Have I Been Pwned."
5. 5.A breached address shows "Oh no, pwned! This email address has been found in multiple data breaches," then lists each breach below with its name, date, and the types of data that were compromised.

For any breach listed, change the password on that site immediately, and change it anywhere else you reused the same password. Then repeat the search for every other email address you use.

Turn On Breach Notifications (Notify Me)

A one-time search only covers what is known today. Subscribing your address means you get alerted automatically when it shows up in future breaches, and it unlocks sensitive breaches that are hidden from anonymous searches.

1. 1.Go to haveibeenpwned.com/NotifyMe.
2. 2.Enter your address in the Email Address field.
3. 3.Complete the CAPTCHA checkbox to prove you are not a bot.
4. 4.Click the Notify Me button.
5. 5.Check your inbox for an email from Have I Been Pwned and click the verification link inside (check your spam folder if you do not see it).

You are then redirected to your dashboard with notification setup complete. Signing in this way also lets you view sensitive breaches that are hidden from public searches; those appear under Breaches > Personal.

Test a Specific Password (Pwned Passwords)

Sometimes the question is not the email but the password itself. This check tells you whether a specific password has ever appeared in a breach, and it does so privately.

1. 1.Go to haveibeenpwned.com/Passwords.
2. 2.Type the password you want to test into the input box.
3. 3.Click the Check button.
4. 4.A safe password shows "This password wasn't found in any of the Pwned Passwords loaded into Have I Been Pwned."
5. 5.An exposed password reports that it has been seen in data breaches before and warns that it should never be used.

On privacy: the password is SHA-1 hashed inside your browser, and only the first five characters of that hash are sent to the service, so your full password is never transmitted. If a password is flagged, stop using it everywhere.

Scan Multiple Emails With Mozilla Monitor

Mozilla Monitor checks your addresses against its own breach database and can watch them going forward. It is useful when you want to cover several inboxes at once.

1. 1.Go to monitor.mozilla.org in your browser.
2. 2.Sign in with your Mozilla account when prompted.
3. 3.Open the Dashboard. Monitor automatically scans your email and displays the results there.
4. 4.To add more addresses, use Manage more emails on the dashboard. You can scan up to 20 emails for free.
5. 5.If breaches are found, open the Action needed section to see details and recommended steps.

Work through the recommendations (for example, change an exposed password, then change it on any other account using the same password), and tick the boxes on the right as you finish each one. Completed items move to a resolved state so you can track progress.

Run Password Checkup in Chrome (Desktop)

If you save passwords in your Google Account, this checks them all at once for ones exposed in breaches, reused, or weak.

1. 1.Open Chrome.
2. 2.Select More (the three-dot menu, top right).
3. 3.Go to Passwords and autofill > Google Password Manager.
4. 4.On the left, select Checkup.
5. 5.Review the results, grouped as Exposed (compromised) passwords, Weak passwords, and passwords Used in multiple accounts.

Alternatively, in any browser go to passwords.google.com and select Go to Password Checkup > Check passwords, signing in if needed. Change any password flagged as compromised, and avoid reusing it elsewhere.

Check Saved Passwords on Android

The same Google check runs from an Android phone.

1. 1.Open Chrome on your Android device.
2. 2.Tap More at the top right.
3. 3.Select Settings.
4. 4.Choose Google Password Manager.
5. 5.Tap Checkup.

Review the compromised, reused, and weak passwords it reports, and change any compromised ones. You can turn breach alerts on or off with the Password alerts toggle in your Google Password Manager settings.

Use Security Recommendations on iPhone or iPad

Apple's Passwords app flags saved logins that turned up in a data leak.

1. 1.Open the Settings app.
2. 2.Tap Apps.
3. 3.Tap Passwords to open the Passwords app.
4. 4.Tap Security to view security recommendations.
5. 5.Compromised entries show "This password appeared in a data leak."
6. 6.Tap Change Password, then update it on the website or app (you can let the device generate a strong password).

The detection feature can be turned off, though that is not recommended, at Settings > Apps > Passwords > Detect Compromised Passwords.

Check Saved Passwords in Microsoft Edge

Edge's Password Monitor checks saved credentials against known breaches on Windows and Mac.

1. 1.Open Edge and type edge://settings/autofill/passwords/checkup into the address bar (Windows and macOS only).
2. 2.Saved passwords that match the breach database appear on the Password Monitor page, categorized as Leaked, Reused, and Weak.
3. 3.For each flagged account, select Change to go to the site and update the password, or Ignore to dismiss an entry that no longer applies.

If the page is empty because the feature is off, sign in to Edge, then go to Settings and more (...) > Settings > Passwords and autofill > Microsoft Password Manager > Password security check and turn on the leaked-password-scan toggle. When you are signed in to Edge and syncing, Password Monitor is enabled automatically.

Frequently Asked Questions

I got a "no pwnage found" result. Am I definitely safe?

No. A clean result only means your address is not in that one database. Have I Been Pwned itself notes it contains only a small subset of all records breached over the years, and many breaches are never detected or made public. Treat a clean result as reassuring, not as proof.

Why does the same password show as "compromised" in one tool but my email looks clean in another?

Each tool scans a different thing. Apple, Google, Microsoft, and Mozilla only check passwords you have actually saved in that ecosystem, so passwords kept in another browser, a different manager, or nowhere at all are never scanned. The wording also differs: Apple says a password "appeared in a data leak," Google and Edge say "compromised" or "leaked," and Have I Been Pwned says "pwned." Do not assume the labels mean different things.

A password got flagged, but I have not heard of any new hack. What happened?

These checks flag passwords exposed in old breaches too. A flag does not necessarily mean a brand-new attack; it often means a credential you used years ago has surfaced in a leaked database that the tool only just matched. Change it regardless.

Why can't I see a breach I am sure my email was in?

Sensitive breaches are deliberately hidden from anonymous public searches on Have I Been Pwned. You will only see them after verifying ownership of the email through the Notify Me link and signing in to your dashboard, where they appear under Breaches > Personal.

My email appeared in a "paste." Is that the same as a breach?

Not exactly. Have I Been Pwned distinguishes confirmed breaches, "unverified" breaches (data that looks legitimate but could not be confirmed beyond reasonable doubt), and "pastes." Finding your email in a paste does not immediately mean it was disclosed through a breach; pastes are often transient dumps removed shortly after appearing. Still, treat any associated password as exposed and rotate it.

Why is Edge's checkup page blank on my phone?

Edge's Password Monitor checkup page works on Windows and macOS only; it is not available on mobile. It can also be off if you are not signed in, not syncing, or on a managed work device, in which case you must enable the leaked-password-scan toggle manually before it reports anything.