Leaked Email
Your email address is in a leak. Probably more than one. So is mine.
That sounds dramatic. The actual implication is not so much. At some point you signed up for an account at LinkedIn or Dropbox or some forum you've forgotten the name of, the company got hacked, and a file containing your email address (and sometimes your password from that account) has been quietly circulating online ever since. The aggregated breach catalogs grew by something like 23 billion rows in the last year alone.
There's a free tool that will tell you which of those files you appear in. And a short list of things to do once you know. Here's the process.
What "leaked" means
When a company you've signed up with gets breached, the data they had on you ends up in a file. Email address, password, name, sometimes more. Those files don't stay private. They get traded, sold, posted, and eventually aggregated into giant searchable databases.
A security researcher named Troy Hunt has been maintaining one of those aggregations as a free public service since 2013. It's called ‘Have I Been Pwned’. It indexes data from thousands of breaches, plus, more recently, stealer-log corpuses. A breach is what happens when a company you trusted with your data gets hacked. A stealer log is the credential database harvested from someone's malware-infected computer (sometimes yours, sometimes a coworker's, sometimes a former employee's). HIBP covers both. The basic email lookup is free.
This check tells you two things. Which breaches your email appears in, and what kind of data was exposed in each one. It tells you which doors might already be unlocked, so you can decide which ones to lock first.
The privacy question
You're going to type your email address into a website, and it would be right to pause and think about it first.
HIBP has been operating for over a decade, is run by a person whose entire reputation is built on this work, and doesn't store the queries you make. For password checks (which I'll cover below), the tool uses a technique called k-anonymity that means even the service itself never sees the full password you submit. It's about as trustworthy as a third-party check can be.
If you'd still rather not type things into someone else's website, your password manager almost certainly has a built-in breach check that does the same job using the same underlying data, without anything leaving your password manager. This is covered below.
Step 1: Check your email addresses
Open haveibeenpwned.com. Type the email address you want to look up into the box. Hit "pwned?" and wait.
You'll get one of two results. Either the page is green and says you haven't been found in any known breaches (you can stop reading and feel quietly smug), or the page is red and lists the breaches you appear in. Each entry shows the date, the company, and the kinds of data that were exposed.
Repeat for every email address you or your business uses. Don't forget:
Catch-all addresses (info@, hello@, contact@)
Personal emails you use for vendor accounts
Old addresses you stopped using
Each one is a separate check. Write down which breaches show up.
Step 2: Check the passwords you're using
This is the part that hurts. HIBP has a sister service called Pwned Passwords at haveibeenpwned.com/Passwords. You can type any password you're worried about, and the tool tells you how many times that password has appeared in leaked data. For instance ‘Password123’ shows up 1,505,362 times.
The clever bit. Your password gets hashed in your browser before anything is sent, and the service only ever sees the first five characters of the hash. The full password and even the full hash never leave your machine. It's been audited by people whose job is being skeptical.
If you'd rather not type a password into a web form, your password manager probably has this check built in. 1Password calls it Watchtower. Bitwarden has a Data Breach Report. LastPass has Security Dashboard. Whatever you use, look for a feature called something like "breach monitoring" or "password health." Every password in your vault gets scored against the same data HIBP uses.
Step 3: Set up ongoing monitoring
The breach you should worry about most is the one that hasn't happened yet. Sign up for free email notifications at haveibeenpwned.com/NotifyMe for each address you care about. The next time one of those addresses shows up in a new breach, you'll get an email within a day or two.
If you run your own business domain (something@yourbusiness.com), there's a free tier for domain owners covering up to ten breached addresses. You verify control of the domain, then you can see all addresses on that domain that have ever appeared in a breach. Worth doing for a small business.
Step 4: Fix what you found
This is the only step that matters, and it's the one most people skip. You found out you're in a breach. Now what?
Change the password on every account that uses the leaked one. The breached service, sure, but also every other place you reused it. If the leaked password is one you've used recently, this is going to mean ten or fifteen logins to clean up. Do it anyway.
Turn on MFA on the important accounts. Email, bank, accounting software, domain registrar, password manager. MFA is what makes a future leak stop being fatal. I wrote a separate post on which kind to pick and why.
Stop reusing passwords. This is what a password manager is for. If you don't have one, this is the moment to get one. 1Password and Bitwarden are both solid choices; Bitwarden has a free tier that covers most people.
Don't pay shakedown emails. You may get an email from "yourself" with one of your old passwords in the subject line, demanding bitcoin or "the recipient list will be released." Those are bulk spam. The sender downloaded the same breach file you're now looking at and ran a script that emailed every address in the dump. They have nothing on you beyond that file. Paying confirms you're a real person who panics, which puts you on a more aggressive target list. Delete and move on.
What to skip
The "remove your data from the dark web" subscription services. Once a breach is out, the data is in so many places, and no service can put it back. The companies selling removal are mostly selling you a monitoring subscription that does what HIBP already does for free.
The "AI-driven personal cyber risk score" products. Most use HIBP data underneath with a marketing layer on top. If you find a scored version more motivating, fine. The free tools do everything they do.
What this is really for
The actual benefit of going through this isn't the list of breaches you find. It's the moment, three months later, when you get one of those shakedown emails or a suspicious login alert, and instead of panicking, you know exactly which password to change, which account is exposed, and how worried you should actually be.
That's the difference between an afternoon of anxiety and a five-minute fix.
If you've been through this kind of check and ran into something I didn't cover, I'd love to hear about it. You can reach me at joel@freshfromcache.com.
Joel
Sources
Have I Been Pwned (the tool itself): Troy Hunt — haveibeenpwned.com.
Stealer logs in HIBP: Troy Hunt, Experimenting with Stealer Logs in Have I Been Pwned (January 2025) — link.
23 billion new rows in the last year: Troy Hunt, Processing 23 Billion Rows of ALIEN TXTBASE Stealer Logs (February 2025) — link.
