Have I Been Pwned? What to Do If Your Email or Password Was Leaked
HIBP indexes more than 14 billion leaked accounts. 80% of US adults got a breach notice in the last 12 months. Here's what to do in the next 24 hours when you find your email in a leak.
Type your email into haveibeenpwned.com right now. The odds you'll find at least one breach are extremely high — and finding five or more is normal. Per the Identity Theft Resource Center's 2025 Annual Data Breach Report, 80% of US consumers received a breach notification in the last 12 months, and 88% of those reported at least one negative consequence — fraud, account takeover, identity theft, or a sharp uptick in phishing.
HIBP is the free service Australian security researcher Troy Hunt launched on December 4, 2013, after analyzing the October 2013 Adobe breach (153 million accounts with weakly encrypted passwords). As of late 2025, HIBP indexes more than 14 billion pwned accounts across 975 websites, plus a separate dataset of about 1.3 billion unique compromised passwords. The Pwned Passwords API alone served 17.45 billion lookups in October 2025.
This guide covers two things. First, how HIBP actually works — including the cryptographic trick that lets you check if a password was leaked without ever sending the password to the server. Second, a 6-step response plan for when you find your email or a password of yours in a leak — with current 2026 standards from NIST, FBI IC3, and CISA, plus a worked example timeline you can follow in roughly 3 hours of focused work.
What Have I Been Pwned Actually Is
Hunt launched HIBP with five seed breaches: Adobe, Stratfor, Gawker, Yahoo Voices, and Sony Pictures. Twelve years later it's the de facto industry tool for breach lookup. Mozilla Monitor, 1Password Watchtower, and Firefox's built-in breach alerts all use HIBP data. CISO programs and government agencies query the Pwned Passwords API to enforce password policies.
One factual correction worth making, since it's repeatedly misreported: 1Password did not acquire HIBP. 1Password and HIBP have been commercial partners since March 2018, when 1Password's Watchtower feature integrated with the HIBP API. Hunt joined the 1Password Board of Advisers in October 2020. In 2019, he explored selling HIBP through a process called Project Svalbard but cancelled the sale in March 2020 and announced ongoing independence. HIBP is run by Hunt with his wife Charlotte (Chief of Operations) and Stefán Jökull Sigurðsson (joined 2023). Cloudflare provides infrastructure sponsorship.
Why HIBP became the standard:
- Free for individual email lookups and password checks.
- Privacy-preserving via k-anonymity (explained next), so HIBP never sees the password you're checking.
- Independent, with no incentive to sell breach data or upsell paid scans.
- Paid domain monitoring for organizations who want alerts when any email on their domain is compromised.
How to Check If a Password Was Hacked (Without Giving It Away)
The most clever piece of HIBP is the Pwned Passwords API, which lets you check whether a specific password is in a breach without ever transmitting the password. The technique is called k-anonymity:
- Your client computes the SHA-1 hash of your password — a 40-character hex string.
- Your client sends only the first 5 hex characters (the "prefix") to
api.pwnedpasswords.com. - The server returns all hash suffixes in the database that begin with that prefix — typically 400 to 600 matches.
- Your client compares the rest of your SHA-1 hash against that list locally.
The server never sees the full hash, never sees the password, and the 5-character prefix matches millions of possible inputs. Even if the network traffic were intercepted, no one could reverse-engineer the password from a 5-character SHA-1 prefix. This is what lets password managers like 1Password and Bitwarden run real-time breach checks on your vault without leaking anything.
The Modern Breach Scale (2025-2026 Statistics)
Some current numbers, so the abstract idea of "your data is everywhere" feels concrete:
| Source | Stat | What it means |
|---|---|---|
| IBM Cost of a Data Breach 2025 | US avg breach $10.22M; global avg $4.44M | Highest US figure ever; "shadow AI" adds ~$670K per breach |
| ITRC 2025 | 3,322 US breaches (record), 278.8M victim notices | +5% YoY, +79% over 5 years |
| Verizon 2025 DBIR | Stolen credentials = 22% of initial access; ransomware in 44% of breaches; human element in 60% | Credentials remain the top single attack vector |
| FBI IC3 2025 | $20.9B total US cybercrime losses (+26% YoY); 191,561 phishing complaints | First year US cybercrime losses crossed $20B |
| SpyCloud 2025 | 53.3B identity records, 3.1B exposed passwords (+125%), 70% of breach victims reused passwords | Reuse is the variable that turns one breach into ten |
| Akamai / Fortinet 2025 | ~26 billion credential stuffing attempts/month globally | Automated re-use of leaked credentials at industrial scale |
And here are the 2024-2025 mega-breaches worth knowing by name:
- National Public Data, August 2024 — alleged 2.9 billion records (names, addresses, SSN, DOB, phone). The company filed Chapter 11 bankruptcy in October 2024 and shut down in December.
- Snowflake-related cluster, mid-2024 — about 165 organizations affected through stolen Snowflake account credentials, including AT&T (110 million customer call/text records), Ticketmaster, and Santander. Threat actor "ShinyHunters / UNC5537"; Connor Moucka was arrested in Kitchener, Ontario in October 2024.
- Synthient ingestions, October-November 2025 — Hunt added two huge datasets to HIBP: 183 million unique emails on October 21, then about 2 billion more emails and 1.3 billion unique passwords on November 5, the largest single ingestion in HIBP's history.
What Attackers Do With Leaked Credentials
"It's just an old password" is the wrong frame. Real abuse patterns:
- Credential stuffing. Automated reuse of leaked username/password pairs against thousands of other sites. Akamai and Fortinet estimate ~26 billion attempts per month globally. Anyone who reused a password has effectively had every site with that password compromised.
- Tailored phishing. Knowing your real name, address, and recent purchases makes a spear-phishing email far more convincing. ITRC: 40% of breach-notice recipients reported a measurable phishing increase.
- Account takeover (ATO) chains. Email compromise → password resets on bank or crypto accounts → wires or withdrawals. Verizon's 2025 DBIR pegs stolen credentials at 22% of initial access.
- SIM-swap to bypass SMS-based 2FA. Attackers port your phone number to harvest SMS codes. The FBI's IC3 reported $26 million in SIM-swap losses in 2024 alone.
- Sextortion and "I hacked you" emails. Old leaked passwords get cited in extortion emails for credibility, exploiting people who don't realize the password is from an unrelated public breach.
Email Leaked? What to Do in the Next 24 Hours: A 6-Step Plan
Step 1 — Confirm exposure (5 minutes)
Open haveibeenpwned.com and enter your primary email. If you have additional emails (work, personal, recovery, old college account), check each one. Five or more breaches is normal — don't panic, just inventory which sites are involved.
Cross-check with Google Password Checkup (for Chrome-saved passwords), Mozilla Monitor (free, HIBP-powered), or 1Password Watchtower if you subscribe.
Common mistake: only checking your main email and forgetting the recovery address attached to it.
Step 2 — Change the affected password and every reused instance (15-30 minutes)
SpyCloud's 2025 data: 70% of breach victims reuse passwords. That single variable is what turns a single breach into compromise of every site you signed up with. Log in to the breached service and change to a unique 16+ character random string. Then change every other site where you reused that password.
Common mistake: changing only the breached site while leaving the same password live on Amazon, PayPal, or Gmail.
Step 3 — Enable 2FA / passkeys everywhere (about 20 minutes for top 10 accounts)
Strength order, weakest to strongest: SMS < TOTP authenticator app < hardware key < passkey. Use the strongest option offered. The 2025 final version of NIST SP 800-63 classifies SMS as "restricted." CISA and the FBI told Americans in December 2024 to move off SMS-based MFA after the Salt Typhoon telecom intrusion.
Per the FIDO Alliance, around 1 billion people have activated at least one passkey and roughly 15 billion accounts now support them — passkeys are mainstream, not experimental.
Common mistake: turning on SMS-only 2FA and stopping there. SIM-swap defeats SMS.
Step 4 — Move to a password manager (30-minute setup, lifetime payoff)
You cannot generate or remember 100 unique 16-character passwords without one. Two strong picks for 2026:
- 1Password — Wirecutter's current top pick. Pricing rose in March 2026 to about $48/year individual or $72/year family. Watchtower powered by HIBP, native passkey support.
- Bitwarden — open source, audited annually. The free tier covers most users (unlimited passwords, devices, sync, passkeys included).
Install, import passwords from your browser, run the manager's reuse / breach audit, and rotate the most exposed passwords first.
Common mistake: a weak or reused master password. The master must be the strongest password you have.
Step 5 — Monitor finances and freeze your credit (about 30 minutes)
The 2024 NPD breach exposed 2.9 billion records of name + SSN + DOB + address. SSN-based fraud is now industrial-scale, which makes credit freezes the highest-leverage defensive step. All three US bureau freezes are free and reversible:
- Equifax: 888-298-0045 / equifax.com
- Experian: 888-397-3742 / experian.com
- TransUnion: 800-916-8800 / transunion.com
Also pull your free annual reports at annualcreditreport.com (now free weekly) and look for accounts you didn't open.
Common mistake: freezing only one bureau. Fraudsters apply through whichever bureau the lender uses; if even one is unfrozen, the freeze gives no protection.
Step 6 — Set up Google Alerts and email aliases for the future (10 minutes)
Set Google Alerts on your full name, primary email, and phone number to catch unusual web mentions. For new signups going forward, use email aliasing services so a breach at one provider doesn't expose your real address:
- Apple Hide My Email (iCloud+ subscribers)
- SimpleLogin (free 10 aliases, included in Proton Pass Premium)
- Firefox Relay (free 5 aliases)
Why SMS 2FA Is Now the Weak Link — and What to Use Instead
If you remember one thing from this section: SMS-based two-factor authentication can be defeated by a phone call to your carrier. Attackers call, claim they're you, port your number to their SIM, and now they receive your codes. Carriers fixed some of this in 2023-2024, but losses still totaled $26M in 2024 per FBI IC3, and the December 2024 Salt Typhoon advisory pushed CISA and the FBI to officially recommend switching off SMS for sensitive accounts.
| 2FA option | Phishing-resistant? | Use it? |
|---|---|---|
| SMS / phone call | No | Last resort only; vulnerable to SIM swap |
| TOTP authenticator app (Authy, 1Password, Google Authenticator) | Partial — vulnerable to real-time phishing | Good baseline |
| Hardware key (YubiKey, Google Titan) | Yes | Best for high-value accounts; modern YubiKey 5 holds up to 100 passkeys |
| Passkey (FIDO2 / WebAuthn) | Yes — by cryptographic design | The 2026 default; works on iPhone, Android, Mac, Windows |
Privacy Layers Beyond Passwords
HIBP only knows about publicly disclosed breaches. Infostealer logs, unindexed paste dumps, and private trade between criminal groups still circulate. So a clean HIBP result doesn't mean fully safe. Three additional layers worth investing in:
- Email aliases — using a unique alias per signup means one breach doesn't expose your real address or chain together with other breaches.
- Data broker removal — services like DeleteMe (~600 brokers, human-assisted) and Incogni (420+ brokers, automated) reduce your exposure on people-search sites that get scraped during phishing.
- Browser hardening — Firefox plus uBlock Origin, or Brave, cuts the volume of trackers and fingerprinting. You can see exactly what your current browser exposes in our Browser Privacy Checker.
Worked Example: A 7-Day Recovery Timeline
How the 6 steps actually slot into a week. Imagine a typical user we'll call Maya — 34, marketing manager, types her primary Gmail into HIBP and finds 5 hits: Adobe 2013, LinkedIn 2021, Ticketmaster 2024 (Snowflake), NPD 2024, Synthient 2025.
| Day | Action | Time |
|---|---|---|
| 1 | Change Gmail password to a 1Password-generated 20-character string. Activate a passkey on Gmail. | 20 min |
| 2 | Import all 84 Chrome-saved passwords into 1Password. Watchtower flags 41 reused. Rotate the top 10 most-exposed. | 40 min |
| 3 | Freeze credit at Equifax, Experian, and TransUnion. Set up Google Alerts on name, email, phone. | 30 min |
| 5 | Add a YubiKey 5C as backup 2FA on Gmail and the primary bank account. | 20 min |
| 7 | Sign up for SimpleLogin. Switch new signups to aliases going forward. | 15 min |
Total: about 3 hours. The result: credential stuffing against her becomes useless because every account now has a unique password; SIM swap can't compromise her bank because hardware-key 2FA replaced SMS; future breaches won't expose her real email. None of this requires technical expertise — just a focused afternoon.
The Honest Conclusion
Data breaches are no longer rare events worth a single news cycle. ITRC's 2025 numbers say 80% of US adults already received a breach notice in the past year. The question isn't whether your data will leak; it's whether you've set up the response so the next leak takes 1 hour instead of 1 month of damage. Six steps. Three hours. And then a habit of checking HIBP every few months and rotating any passwords flagged.