Have I Been Pwned — How to Check and What to Do
Have I Been Pwned (HIBP) is a free tool that lets you check whether your email address or password has appeared in a known data breach. It's run by security researcher Troy Hunt and is trusted by governments and organisations worldwide, including the UK's National Cyber Security Centre (NCSC). This guide explains how to use it, what the results mean, and what to do if your data has been exposed.
How to Check Your Email Address
- 1Go to haveibeenpwned.com
- 2Enter your email address in the search box
- 3Click "pwned?"
The result will either show:
“Good news — no pwnage found”— your email hasn't appeared in any known breach in the HIBP database.
“Oh no — pwned!”— your email appeared in one or more data breaches; the page will list which breaches and what data was exposed.
Understanding the Results
If your email appears in a breach, note:
- What data was exposed — email only, or also passwords, phone numbers, dates of birth, addresses?
- When the breach occurred — older breaches (pre-2020) are less urgent if you've changed passwords since
- How many breaches — appearing in multiple breaches means attackers may have combined your data for credential stuffing attacks
Appearing in a breach does notmean your accounts have been hacked. It means your data is circulating — which makes you a target.
What to Do If You've Been Pwned
Change the password for the breached service
Even if the breach is old, change that account's password now. Use a unique password you don't use anywhere else.
Check if you reuse that password anywhere
If the exposed password is used on other accounts — email, banking, shopping — change it on every one of those accounts immediately.
Enable two-factor authentication
On every account where it's available, especially email and banking. This stops attackers even if they have your password.
Check your email account for suspicious activity
Look at sent items, forwarding rules, and recent login activity. See signs your email has been hacked.
Check your full security posture
Get a personalised Security Score and protection checklist — free, no credit card required.
Get your free Security ScoreHow to Check Your Passwords
Have I Been Pwned also has a Pwned Passwordstool at haveibeenpwned.com/Passwords. You can check whether a specific password has appeared in any breach. It uses a k-anonymity model — your full password is never sent to the server, only a partial hash, so the check is safe to perform. If a password you currently use appears there, change it everywhere you use it.
Set Up Breach Notifications
You can register your email address at haveibeenpwned.com to receive a notification if your address appears in a future breach. This is free and recommended for all UK users.
Frequently Asked Questions
Is it safe to enter my email address on Have I Been Pwned?
Yes. Have I Been Pwned only checks whether your email has appeared in known breach databases — it doesn't store your email in any way that creates a new risk. It is operated by Troy Hunt, a Microsoft Regional Director, and is endorsed by the NCSC.
I appeared in a breach from 2018. Should I still act?
Yes, if you haven't changed that password since 2018. Old breach data circulates indefinitely and is combined with newer breaches. Change the password and enable 2FA on that account.
My email appeared in a breach but my account still works fine. Does that mean I'm OK?
Not necessarily. Attackers may not have attempted to access your account yet, or may have failed. Treat the breach notification as a warning — change the password, enable 2FA, and check your account activity for anything unusual.