Data Leak Checker
Find out if your email or password has appeared in known data breaches. Two modes: password uses k-anonymity (only 5 hash chars leave your device). Email uses the Have I Been Pwned public API with your address — best used with the password mode for full privacy.
What "Pwned" Means
HIBP aggregates publicly-leaked data dumps from breaches. If your address appears, it was part of a leak — your password may have been exposed in cleartext or as a weak hash. Action: change the password everywhere it was reused, enable 2FA, and consider rotating to an alias.
What this tool does
Enter an email address or a password and this tool checks it against Have I Been Pwned's database of known breaches — telling you whether it has appeared in a public data leak. It's a point-in-time check: it answers "is this in a known breach right now?", which is exactly the question worth asking before you trust a password or an account.
How to use it
- Type the email address or password you want to check.
- Read the result: whether it appears in known breaches, and for passwords, roughly how many times.
- If it shows up, change that password everywhere you've used it and turn on two-factor authentication.
Why checking this way is safe
The natural worry is "isn't typing my password into a checker exactly the wrong thing to do?" Here it isn't, because of a technique called k-anonymity. Your password is hashed with SHA-1 in your browser, and only the first five characters of that hash are sent to the service. It replies with every breached hash sharing those five characters — hundreds of them — and the final match happens locally, in your tab. The service never sees your password, your full hash, or which specific entry you were checking.
The breach check was the single fastest way I ever found, in two decades of IT support, to make a security point land. People nod politely when you talk about "good password hygiene"; they sit up when they paste a password they've used for a decade and see it's appeared in breaches tens of thousands of times. That number does the convincing. The part I always had to explain, though, was that the check itself is safe — k-anonymity means only five characters of a hash leave the device, never the password. And I was careful to be honest about its limit: this tells you about leaks that are already public and known today. It's a spot-check, not a guard that watches your accounts — for that you still need unique passwords and 2FA.
— Hill, 20 years in IT supportThis is a one-time lookup, not monitoring — it doesn't store your input, watch your accounts, or notify you later. Everything except that anonymised five-character hash prefix stays in your browser.
Frequently asked questions
Is it safe to type my password here?
Yes. Your password is hashed in your browser and only the first five characters of the hash are sent (k-anonymity). The service can't see your password, your full hash, or which entry you checked.
Does this monitor my accounts going forward?
No. It's a point-in-time check of whether your email or password is in known breaches right now. It doesn't store anything, watch your accounts, or send alerts later.
My password showed up — what do I do?
Stop using it immediately, everywhere. Change it on every account where it was used (especially if reused), switch to a unique password per site, and enable two-factor authentication where you can.
If my email is in a breach, is my password exposed?
Not necessarily, but assume the worst for that site. A breach can expose emails alone, or emails with hashed or even plaintext passwords. Change the password for the affected service and anywhere you reused it.