Were You in a Breach? How to Check and What to Do Next
Breaches happen constantly. Here is how to find out if your data is exposed and the exact steps to lock things down before attackers use it.
Data breaches are a fact of online life. Between telecom leaks, retailer hacks, and the steady churn of credential dumps, your email address is almost certainly in at least one by now.
Quick answer
Go to haveibeenpwned.com, enter every email address you use, and see which breaches you appeared in. If you are listed, change the leaked password and kill any place you reused it, turn on phishing-resistant 2FA (a passkey or hardware key), and secure your email account first since it can reset everything else. If financial or identity data leaked, add a free credit freeze. The check takes two minutes; the cleanup takes maybe fifteen.
In June 2026 alone, a single batch of infostealer logs added to Have I Been Pwned exposed roughly 56 million unique email addresses and 124 million passwords. The good news is that checking is fast, free, and the response plan is the same regardless of which company lost your data. Here is exactly how to find out and what to do next.
Key takeaways
- Use Have I Been Pwned (HIBP) to check whether your email or password has appeared in a known breach. It is free and the closest thing to an industry standard.
- A breach is only dangerous if you reuse the leaked password. Hunting down and killing password reuse is the single most important step.
- Turn on phishing-resistant two-factor authentication (a passkey or hardware key) so a leaked password alone cannot get anyone in.
- If financial or identity data was exposed, place a free credit freeze and watch for targeted phishing that uses your real details.
- Secure your email account first. It is the master key to every other account through password resets.
How to check if your data is exposed
The most trusted free tool is Have I Been Pwned, run by security researcher Troy Hunt and used by individuals and corporate security teams alike. It aggregates hundreds of breaches and handles billions of lookups a month.
- Go to the official site at
https://haveibeenpwned.com/. - Enter your email address and run the search.
- Read the result. "Good news, no pwnage found!" means your address was not in any breach HIBP has indexed. "Oh no, pwned!" means it appeared in one or more breaches, and the page lists exactly which breaches and what data was exposed (passwords, phone numbers, addresses, and so on).
Check every email address you use, including old ones. Exposed data on a forgotten account can still be used against you in phishing and account-recovery attacks.
Check your passwords too
HIBP also offers a Pwned Passwords tool that tells you whether a specific password has appeared in known breaches. It is built for privacy: your password is hashed locally and only the first five characters of that hash are sent to the service (a technique called k-anonymity), so your actual password never leaves your device. If a password shows up, stop using it everywhere immediately.
Tip
Turn on "Notify me when I get pwned" on the HIBP results page. It is free and emails you whenever your address turns up in a newly indexed breach, so you find out in days instead of months.
What to do if you were breached
Not all exposed data carries the same urgency. Use this to decide how hard to react based on what actually leaked:
| What leaked | Real risk | Priority response |
|---|---|---|
| Email address only | Targeted phishing, spam | Stay alert, enable HIBP alerts |
| Email + reused password | Account takeover via credential stuffing | Change that password everywhere, now |
| Phone number | SIM-swap and smishing attempts | Add a carrier port-out PIN |
| Full name, address, DOB | Identity theft, social engineering | Freeze credit, watch new-account alerts |
| Card or bank details | Direct financial fraud | Call the bank, replace the card, freeze credit |
Finding your data in a breach is not a crisis if you act methodically. Work through these steps in order.
1. Change the exposed passwords
For every breached site listed, change the password right away. Make each new password long, random, and unique. A password manager turns this from a chore into a few clicks.
2. Hunt down password reuse
This is the step people skip, and it is the most important one. If you reused the breached password anywhere else, attackers will try it across your other accounts automatically. This is called credential stuffing, and it is how most breach data is actually monetized. Change that password everywhere you used it, then never reuse a password again.
3. Turn on two-factor authentication
After a password leaks, 2FA is your single most effective defense, because it demands a second factor before anyone can log in. Prioritize phishing-resistant options like passkeys or a hardware security key, and prefer an authenticator app over SMS where you can. If you have not made the switch yet, our guide on how to set up passkeys walks through it step by step.
4. Watch for fraud and phishing
- Monitor bank and credit card statements for unfamiliar charges.
- If financial or identity data was exposed, place a credit freeze with the major bureaus. It is free, takes minutes online, and blocks new accounts from being opened in your name. You can lift it just as easily when you need credit.
- Expect targeted phishing. Breach datasets are sold and traded, and attackers use real details (your name, the service, the last four digits of a card) to make scam messages convincing. Be skeptical of unexpected "verify your account" messages and navigate to sites directly instead of clicking links.
5. Secure the email account itself
Your email is the master key to everything else through password-reset links. Make sure it has a unique, strong password and strong 2FA. If your email provider was the breached service, treat it as the top priority and rotate any app passwords or recovery codes tied to it.
Build habits that limit future breaches
You cannot stop companies from getting breached, but you can make each breach a minor inconvenience instead of a disaster.
- Use a password manager so every account has a unique, strong password. One leaked password then exposes exactly one account, not your whole digital life.
- Enable 2FA everywhere it is offered, favoring passkeys and hardware keys over SMS codes.
- Minimize what you hand over. Use email aliases or a secondary address for low-trust signups, so a breach there is easy to abandon.
- Check HIBP periodically and act on what you find. If you are weighing whether to move off passwords entirely, see our walkthrough on transferring passwords to passkeys on Android.
Many recent incidents are downstream of huge aggregated credential dumps rather than a single company hack. If you want to understand how those collections come together, our breakdown of the 24 billion stolen credentials leak explains where this data originates and why reuse is so dangerous.
What to do tonight
If you only do five things, do these in order:
- Run your main email address through
haveibeenpwned.comand note every breach listed. - Change the password on any breached account, and hunt down every place you reused it.
- Turn on a passkey or authenticator-app 2FA for your email and bank first.
- Enable "Notify me when I get pwned" so future breaches reach you in days, not months.
- If any financial or identity data was exposed, place a free credit freeze with all three bureaus.
Frequently asked questions
Is Have I Been Pwned safe to use?
Yes. For email lookups, you are only submitting an address, which is not secret. For password checks, the tool never receives your actual password thanks to the k-anonymity hashing described above. It is widely trusted by security professionals.
My email shows up in a breach but I never used that site. What happened?
The data was likely collected by an infostealer on a device, scraped from a third party, or bundled into an aggregated "combo list" from many sources. You do not need an account on a listed service for your address to appear. Focus on the response steps rather than the source.
Should I freeze my credit even if only my email leaked?
A credit freeze specifically protects against new accounts being opened with your identity, so it matters most when names, Social Security numbers, dates of birth, or financial details were exposed. If only an email and an old password leaked, prioritize changing passwords and enabling 2FA first. A freeze is still a reasonable, free precaution.
How often should I check?
Quarterly is plenty for most people, plus any time you hear about a major breach involving a service you use. Enabling HIBP notifications removes the need to remember entirely.
The bottom line
Breaches are inevitable; lasting damage is not. Check your email and passwords against Have I Been Pwned today, kill any password reuse you find, switch on strong two-factor authentication, and stay alert for the phishing that follows. Do that and the next breach with your name in it becomes a five-minute chore rather than a security emergency.
