How do I check if my password has been leaked?

The most trusted free tool is Have I Been Pwned at haveibeenpwned.com. Enter your email address to see which breaches exposed your credentials. For checking specific passwords, use their Passwords page which checks against over 900 million compromised passwords using a k-anonymity model that never sends your full password to the server. Many password managers like 1Password and Bitwarden also include built-in breach monitoring.

Is it safe to enter my password on a breach-checking site?

Only use Have I Been Pwned, which uses a secure k-anonymity protocol. Your full password is never transmitted. It hashes your password locally, sends only the first 5 characters of the hash, and receives back all matching hashes to compare on your device. Never enter your actual password on any other breach-checking website as they may be phishing sites designed to steal credentials.

What should I do if my password appears in a data breach?

Change the compromised password immediately on every site where you used it. Never reuse passwords across accounts. Enable two-factor authentication on all affected accounts. Use a password manager to generate unique random passwords of at least 16 characters for every account. Monitor your accounts for suspicious activity for the following weeks.

How do data breaches happen?

Common causes include SQL injection and other web application vulnerabilities, misconfigured cloud storage buckets, phishing attacks targeting employees with database access, credential stuffing using previously leaked passwords, insider threats, unpatched software vulnerabilities, and third-party vendor compromises. Major breaches like Yahoo at 3 billion records and Facebook at 533 million records resulted from varied attack vectors.

How often should I check if my credentials have been leaked?

Set up free email notifications on Have I Been Pwned so you are automatically alerted when your email appears in a new breach. Additionally, use a password manager with built-in breach monitoring for continuous protection. At minimum, manually check quarterly. After any major publicized breach of a service you use, check and change your password immediately.

How to Check If Your Password Has Been Leaked or Hacked in 2026

Category: Guides

By EthicalHacking.ai · March 31, 2026

## How to Check If Your Password Has Been Leaked

The fastest way to check if your password has been leaked is to visit haveibeenpwned.com and enter your email address. This free service created by security researcher Troy Hunt searches over 14 billion compromised accounts from 800+ data breaches and tells you instantly if your credentials have been exposed. Over 4.5 million people check their accounts on Have I Been Pwned every day.

If your email appears in a breach, change the password for that account immediately, enable [two-factor authentication](https://ethicalhacking.ai/blog/what-is-two-factor-authentication), and change the password on any other account where you reused the same password.

*Last updated: March 31, 2026*

## Free Tools to Check for Leaked Credentials

| Tool | What It Checks | Cost | URL | |------|---------------|------|-----| | Have I Been Pwned | Email and phone number against 800+ breaches | Free | haveibeenpwned.com | | Have I Been Pwned Passwords | Individual passwords against 900+ million leaked passwords | Free | haveibeenpwned.com/Passwords | | Google Password Checkup | Saved passwords in Chrome against known breaches | Free | passwords.google.com | | Apple Passwords Security | Saved passwords on iPhone/Mac against known breaches | Free | Settings > Passwords > Security Recommendations | | Firefox Monitor | Email against breach databases | Free | monitor.firefox.com | | 1Password Watchtower | All vault passwords against breach databases | Included with 1Password | Built into 1Password app | | Bitwarden Reports | All vault passwords against breach databases | Free tier available | Built into Bitwarden app |

## Step-by-Step: Check Your Email on Have I Been Pwned

**Step 1:** Open haveibeenpwned.com in your browser.

**Step 2:** Enter your primary email address in the search box and click pwned? The search is safe — the site does not store your email or use it for any other purpose.

**Step 3:** If the page turns green, your email was not found in any known breaches. If it turns red, your email appeared in one or more breaches. The page lists every breach including the breach name, date, number of accounts exposed, and what data was compromised such as email addresses, passwords, IP addresses, or phone numbers.

**Step 4:** Scroll down to see each specific breach. Pay attention to whether passwords were exposed and whether they were hashed or stored in plaintext. Plaintext passwords are immediately usable by attackers. Hashed passwords can be cracked using tools like [Hashcat](https://ethicalhacking.ai/tools/hashcat) depending on the hashing algorithm used.

**Step 5:** Subscribe to breach notifications by entering your email and clicking Notify me. You will receive an automatic email if your address appears in future breaches.

## Step-by-Step: Check Your Password Directly

**Step 1:** Open haveibeenpwned.com/Passwords in your browser.

**Step 2:** Enter the password you want to check. The site uses a privacy-preserving protocol called k-anonymity — your full password is never sent to the server. Only the first 5 characters of the password hash are sent, and the server returns all matching hashes for you to check locally.

**Step 3:** If the password has been seen in breaches, the site tells you how many times. A password seen 10,000+ times means it is in every attacker wordlist and will be cracked instantly. Even a password seen once should be changed because it exists in breach databases that attackers actively use.

## What to Do If Your Password Is Leaked

Discovering your credentials in a breach requires immediate action. Follow these steps in order.

**Step 1: Change the compromised password immediately.** Log into the affected account and change the password to a new unique password of at least 16 characters. Use a password manager to generate a random password. Do not create the new password manually as humans are poor at creating truly random passwords.

**Step 2: Change the same password everywhere else you used it.** If you reused the leaked password on other accounts, change it on every single one. Credential stuffing attacks automatically test leaked email and password combinations across hundreds of popular websites. Attackers know that over 60% of people reuse passwords across multiple accounts.

**Step 3: Enable two-factor authentication.** Turn on [2FA](https://ethicalhacking.ai/blog/what-is-two-factor-authentication) on the compromised account using an authenticator app or hardware security key. This ensures that even if your new password is somehow compromised in the future, attackers still cannot access your account.

**Step 4: Check for unauthorized activity.** Review the account login history, connected devices, and recent activity. Look for logins from unfamiliar locations or devices, password reset requests you did not make, changes to account settings or recovery options, and purchases or transactions you did not authorize.

**Step 5: Monitor your other accounts.** After a breach, watch for [phishing](https://ethicalhacking.ai/blog/what-is-phishing) emails impersonating the breached service. Attackers use breach data to craft convincing targeted phishing campaigns. Be especially cautious of emails asking you to click links to verify your account or reset your password.

## Why Passwords Get Leaked

Passwords are exposed through data breaches where attackers hack into a company database and steal user records. Over 6 billion accounts have been compromised in known breaches since 2010. The largest breaches include Yahoo with 3 billion accounts in 2013, First American with 885 million records in 2019, Facebook with 533 million records in 2019, and LinkedIn with 700 million records in 2021.

When a company is breached, the stolen data typically includes email addresses, passwords either hashed or in plaintext, phone numbers, physical addresses, and sometimes financial information. This data is sold on dark web marketplaces or posted publicly on hacking forums. Within hours of a breach, attackers begin automated credential stuffing attacks using the stolen credentials against hundreds of other websites.

**How passwords are cracked after a breach.** Responsible companies store passwords as hashed values, not plaintext. However, weak hashing algorithms like MD5 and SHA-1 can be cracked at billions of attempts per second using [Hashcat](https://ethicalhacking.ai/tools/hashcat) and GPU hardware. A simple 8-character password hashed with MD5 can be cracked in under 5 minutes. Stronger algorithms like bcrypt and Argon2 are dramatically harder to crack, but many companies still use outdated hashing methods.

## How to Prevent Password Leaks From Affecting You

The goal is ensuring that even when breaches happen — and they will — the impact on you is minimal.

**Use a unique password for every account.** This is the single most important rule. If every account has a different password, a breach of one service cannot compromise any other. A password manager makes this effortless by generating and storing unique random passwords for every site.

**Use a password manager.** Password managers generate cryptographically random passwords, store them encrypted, and autofill them on the correct domains. The autofill feature also protects against [phishing](https://ethicalhacking.ai/blog/what-is-phishing) because the manager will not fill credentials on a fake lookalike domain. Recommended managers include 1Password, Bitwarden (free tier available), and Proton Pass. See our [1Password vs Bitwarden comparison](https://ethicalhacking.ai/compare/1password-vs-bitwarden) for a detailed breakdown.

**Enable 2FA on every important account.** [Two-factor authentication](https://ethicalhacking.ai/blog/what-is-two-factor-authentication) ensures leaked passwords alone cannot grant access. Prioritize email, banking, password manager, social media, and work accounts.

**Use passwords of at least 16 characters.** Longer passwords are exponentially harder to crack. An 8-character password can be brute-forced in hours. A 16-character random password would take billions of years with current technology. Password managers generate these automatically.

**Never reuse passwords.** Over 60% of people reuse passwords across multiple accounts. This means a single breach compromises every account sharing that password. Attackers count on this behavior — credential stuffing attacks are automated and test millions of leaked credentials against popular services within hours of a breach.

## Password Leak Statistics

| Statistic | Number | Source | |-----------|--------|--------| | Total compromised accounts in Have I Been Pwned | 14+ billion | haveibeenpwned.com | | Number of breached websites tracked | 800+ | haveibeenpwned.com | | Leaked passwords in the database | 900+ million | haveibeenpwned.com | | People who reuse passwords across accounts | 60%+ | Google Security Blog | | Average time to discover a data breach | 194 days | IBM Cost of Data Breach Report | | Average cost of a data breach | $4.88 million | IBM Cost of Data Breach Report | | Credential stuffing attacks blocked daily by Cloudflare | Billions | Cloudflare Radar | | Breached credentials for sale on dark web marketplaces | 24+ billion | Digital Shadows Research |

## How Cybersecurity Professionals Use Breach Data

Breach data is a critical resource for cybersecurity professionals working in authorized security roles. [Penetration testers](https://ethicalhacking.ai/blog/what-is-penetration-testing-beginners-guide) use breach databases to test if employee credentials from previous breaches still work against target organization systems during authorized engagements. [Threat intelligence](https://ethicalhacking.ai/blog/what-is-threat-intelligence) analysts monitor dark web marketplaces for client credentials appearing in new breaches. [SOC analysts](https://ethicalhacking.ai/blog/what-is-soc-analyst) correlate login anomalies with known breach timelines. [Incident responders](https://ethicalhacking.ai/blog/incident-response-guide-2026) investigate the scope of credential exposure during active breaches.

Tools like [OSINT tools](https://ethicalhacking.ai/blog/best-osint-tools-guide-2026) and breach monitoring platforms help security teams proactively identify compromised credentials before attackers use them. Enterprise breach monitoring solutions include SpyCloud, Recorded Future Identity, and Flare.

## Frequently Asked Questions

### Is Have I Been Pwned safe to use?

Yes. Have I Been Pwned was created by Troy Hunt, a Microsoft Regional Director and internationally recognized security researcher. The site does not store your search queries, does not sell your data, and uses privacy-preserving techniques. The password checker uses k-anonymity so your password is never transmitted to the server. The service is recommended by the FBI, UK National Cyber Security Centre, and the Australian Cyber Security Centre.

### How do I know if my password is on the dark web?

Use haveibeenpwned.com to check your email address against known breaches and haveibeenpwned.com/Passwords to check specific passwords. Google Password Checkup and Apple Security Recommendations also check your saved passwords against known breach databases. For comprehensive dark web monitoring, enterprise tools like SpyCloud and Recorded Future scan dark web marketplaces continuously.

### Should I change all my passwords after a breach?

Change the password for the breached service immediately. Then change every other account where you used the same or similar password. If you use unique passwords for every account via a password manager, you only need to change the one affected password. This is why password managers and unique passwords per account are so important.

### How often are passwords leaked?

Data breaches occur daily. In 2025 alone, over 1 billion records were exposed in publicly reported breaches. Many breaches go unreported for months or years. The average time to discover a breach is 194 days according to IBM. Subscribe to Have I Been Pwned notifications so you are alerted when your email appears in a new breach rather than discovering it months later.

### Can I check if my phone number has been leaked?

Yes. Have I Been Pwned supports phone number searches. Enter your phone number in international format including country code. Phone numbers were exposed in major breaches including Facebook (533 million numbers in 2019) and numerous telecom breaches. A leaked phone number increases your risk of [social engineering](https://ethicalhacking.ai/blog/what-is-social-engineering) attacks, SIM swapping, smishing, and vishing calls.

### What is credential stuffing?

Credential stuffing is an automated attack where attackers use lists of leaked email and password combinations to attempt logins across hundreds of websites. Because over 60% of people reuse passwords, these attacks are highly effective. Billions of credential stuffing attempts occur daily. The only defenses are unique passwords per account and [two-factor authentication](https://ethicalhacking.ai/blog/what-is-two-factor-authentication).