How to check for password breaches

If your password showed up in a known breach, attackers already have it. Checking against breach databases is a 10-second habit that prevents credential-stuffing takeovers — the single most common account-compromise vector. This guide covers how breach checks actually work (k-anonymity, no plaintext sent), what services like HaveIBeenPwned do, when to check passwords vs emails, what to do when a breach is found, and why checking doesn’t replace using a password manager.

What a breach database is

When a service gets hacked, attackers often publish (or sell) the stolen user data. Sites like HaveIBeenPwned (HIBP) collect these leaks and make them searchable by email or password hash.

HIBP currently holds 10+ billion leaked records from thousands of breaches — LinkedIn, Adobe, Yahoo, Dropbox, and many more. If your password shows up there, it’s available to anyone running credential-stuffing attacks.

K-anonymity — how checking stays safe

You might hesitate to paste a password into any website, even one that claims to check it. Good news: you don’t have to send it.

HIBP’s Pwned Passwords API uses k-anonymity:

1. Your browser computes SHA-1 of your password locally.

2. Send only the first 5 hex characters of the hash.

3. HIBP returns every hash that starts with those 5 characters (usually a few hundred).

4. Your browser checks locally whether your full hash matches any of them.

HIBP never sees your full hash, let alone your password. Even if the response is intercepted, an attacker sees only a prefix — not enough to identify you.

Any tool that uses k-anonymity is safe to use with real passwords. Tools that claim to check but require you to paste the full password to a server should be avoided.

Password-level vs email-level checks

Two different questions, two different answers.

Password check: has this specific password ever appeared in any breach? Done via the k-anonymity API. Answers “yes, 1,234,567 times” or “no”.

Email check: has this email appeared in any breach? Lookup by email. Tells you which services you had accounts on that got breached, plus what data was exposed (passwords, phone, address, etc.).

Run both. Password check tells you if a password is reused and exposed. Email check tells you which accounts need specific action.

What the password check tells you

A hit means the password has been seen in breaches, possibly used by other people on other services. It doesn’t necessarily mean your account was breached — common passwords (password123, qwerty) get millions of hits just because they’re common.

Any hit = don’t use that password. Credential-stuffing attacks try known-exposed passwords against millions of email/password combos. You don’t want to be one of them.

Zero hits means the password isn’t in any known breach. Doesn’t mean it’s strong — just unexposed. Strength and breach exposure are separate concerns.

What to do if your password is breached

Change it immediately on the affected service.

Change it on every service where you reused it — this is the mainline attack path.

Enable 2FA / MFA on any service that supports it. Breached password alone won’t grant access if you have a second factor.

Check the email-breach list to understand what specific data was exposed (phone, DoB, security answers) — you may need to rotate more than the password.

When email shows up in a breach

Different exposure classes have different severities:

Email + password (plaintext or weak hash): highest urgency. Change everywhere.

Email + password hash (bcrypt/argon2): lower urgency. Strong hashes are hard to crack, but still rotate on the affected service.

Email + metadata (name, address, phone): lower urgency for account security, higher for phishing risk. Attackers can craft tailored phishing emails using leaked info.

Email only: low urgency. You might get spam, but account access isn’t directly at risk.

Why a password manager makes this easier

Breach checking and password management solve overlapping problems. A password manager:

Generates unique passwords per site → breach of one service can’t cascade.

Many (1Password, Bitwarden, Dashlane) integrate HIBP-style breach checks automatically. You get alerted when a stored password appears in a new leak.

Stores them securely so you don’t need to memorize or reuse.

Breach checking alone isn’t enough. It tells you when to rotate; a password manager tells you how to rotate without reusing.

Automating regular checks

One-time checks are a start. Ongoing monitoring is better.

HIBP notifications: subscribe your email and get notified when new breaches appear involving that email.

1Password Watchtower, Bitwarden Reports, Dashlane Dark Web Monitoring: run continuously against your stored credentials.

Browser integrations: Chrome, Firefox, and Safari all have built-in breach warnings. Don’t disable them.

Common mistakes

Pasting passwords into a non-k-anonymity site. You just gave them your password. Check the tool’s method first.

Only checking once. New breaches happen monthly. Subscribe to notifications.

Ignoring zero-hit results. Zero exposure doesn’t mean the password is strong. Low entropy passwords get cracked even without a breach.

Rotating only the breached service. If you reused the password, every site is at risk.

Treating MFA as optional. MFA is the strongest control; turn it on for every account that supports it, especially email and banking.

Forgetting security questions. “Mother’s maiden name” is often leaked alongside the password. Treat answers as passwords — unique and unguessable.

Run the numbers

Check whether a password is in known breaches with the password breach checker. Pair with the password strength checker to ensure the replacement is strong, and the password generator to create a unique replacement.