user@s3-3:~/s3-3/tools/how-to-check-if-your-email-was-breached $ cat index.md
S3-3 Tech Guides & Tools
~/tools/how-to-check-if-your-email-was-breached
Privacy · Jun 2026

How to Check If Your Email Was Breached and What to Do About It

8 min read · S3-3 Tech

Data breaches at major companies are so common that it is safer to assume your email address has appeared in at least one than to assume it has not. The question that actually matters is: what data was exposed, and do the exposed credentials still work anywhere? Two reputable free tools — Have I Been Pwned and Firefox Monitor — aggregate breach data and let you check any email address in seconds. This guide explains how to use them, what the results mean, and the specific actions worth taking based on what you find.

Have I Been Pwned (haveibeenpwned.com)

Have I Been Pwned, commonly abbreviated HIBP, is the most comprehensive publicly available breach database. It was created by security researcher Troy Hunt and indexes hundreds of breaches containing billions of records. The site is widely trusted and referenced by browsers, password managers, and government cybersecurity agencies.

How to Check Your Email

  1. Go to haveibeenpwned.com.
  2. Enter your email address in the search box and press Enter or click "pwned?"
  3. If your address appears in known breaches, the page turns red and lists every breach by name, date, and the categories of data included. If it does not appear, the page turns green and displays "Good news — no pwnage found!"

Check every email address you use, not just your primary one. Old accounts at addresses you no longer actively monitor are often the ones that have been breached and ignored the longest.

Understanding the Breach Listing

Each breach entry shows:

  • Breach name: The company or service that was compromised (e.g., LinkedIn, Adobe, Dropbox).
  • Date added: When HIBP indexed the breach, which may be months or years after the actual breach occurred. Breaches are often not discovered or disclosed immediately.
  • Compromised data: The categories of data in the breach — "Passwords," "Email addresses," "Phone numbers," "Physical addresses," "Dates of birth," and so on. Not all breaches include passwords. A breach that exposed only your email address and username is lower urgency than one that exposed passwords or payment information.
  • Description: A plain-English summary of what happened, including whether passwords were hashed (scrambled) or stored in plain text.
Hashed vs. plain text passwords: If a breach entry says passwords were "hashed," the attacker received scrambled versions of passwords rather than the actual text. Whether that matters depends on the hashing method used. MD5 and SHA-1 hashed passwords can be cracked quickly for common passwords. bcrypt hashed passwords are much harder to crack. Either way, treat any breach that included passwords as requiring a password change at the affected service.

Paste Sites and Sensitive Breaches

HIBP also checks against paste sites — public text dumps where attackers post stolen credentials. These often contain data compiled from multiple breaches. The site handles a category called "sensitive" breaches differently: these include breaches from adult sites, political data, or other data the subject may not want publicly associated with their address. Sensitive breach results are not shown publicly but can be accessed by verifying ownership of the email address.

Firefox Monitor (monitor.mozilla.org)

Firefox Monitor is Mozilla's breach notification service, powered by the same HIBP data but with a different interface and added features. Its main advantage over a one-time HIBP check is ongoing monitoring.

With a free account you can:

  • Add up to five email addresses for continuous monitoring
  • Receive email alerts when a new breach affecting your addresses is discovered
  • See a dashboard of all your breaches organized by address and the resolution status of each
  • Mark breaches as "resolved" once you have changed the relevant password, which helps track what you still need to address

For anyone with multiple email addresses or who wants automatic alerts rather than periodic manual checks, Firefox Monitor's monitoring feature adds real value beyond a one-time lookup.

Checking Passwords Directly

HIBP also has a password checker at haveibeenpwned.com/passwords. You can enter a specific password to check whether it appears in any known breach database — without the site ever receiving your actual password. The tool uses a technique called k-anonymity: your browser computes a hash of the password, sends only the first five characters of that hash to the server, and the server returns all matching hashes, from which your browser checks locally whether your full hash is among them. The plain text password never leaves your device.

If a password you currently use appears in the database — regardless of which service the breach came from — it is a strong candidate for immediate replacement everywhere you use it. Attackers run credential stuffing attacks using breach dumps: trying known email/password combinations at other services automatically. Password reuse is the most direct attack vector that breach data enables.

What to Do When You Find a Breach

The appropriate response depends on what was exposed:

Password Was Exposed

  1. If you still use that password at any service — including services other than the one breached — change it at every place you use it. Credential stuffing makes reuse across sites dangerous.
  2. Change the password at the breached service specifically, even if you no longer care about the account. Old accounts with valid credentials are used to send spam and phishing emails.
  3. If the breached service offers two-factor authentication and you had not enabled it, enable it now.

Only Email Address Was Exposed

An address-only exposure does not require a password change but signals that your address is on lists used for spam, phishing, and social engineering campaigns. Be more skeptical of unsolicited emails referencing that address, and make sure your email account has a strong unique password and two-factor authentication enabled regardless.

Payment Information or Physical Address Was Exposed

If payment card data was in a breach, contact your card issuer to report potential compromise and request a replacement card. Most issuers will do this without requiring evidence of fraud — it is a precautionary measure. Monitor your statements for a few billing cycles. Physical address exposure does not generally require action but is useful context if you start receiving suspicious physical mail.

Ongoing Protection: The Only Sustainable Approach

Breach checks are reactive — they tell you about past exposures. The practices that limit future damage are:

  • Unique password per account: A password manager makes this practical. If each service has its own random password, a breach at one service does not compromise any other.
  • Two-factor authentication on email and important accounts: Even if a password is exposed, 2FA prevents login without the second factor. Email is the most important account to protect because password reset links go there.
  • Monitoring alerts: Firefox Monitor or HIBP's notification service will alert you when new breaches involving your addresses are indexed. Faster discovery means faster response.

The goal is not to be breach-proof — that depends on the security practices of every company you give your data to, which you cannot control. The goal is to limit the blast radius when it happens.