Data Breach Checker

The naive approach is to send your email to a server that checks against a database — which means handing every queried email to whoever runs the service. HIBP and this tool use k-anonymity: hash the email with SHA-1, send only the first 5 characters of the hash to the API, receive all breaches matching that prefix (typically a few hundred entries), and check locally whether your full hash is in the response. The server never sees your full email or hash.

For passwords, the same scheme is used with SHA-1 of the password. You can paste a password and check if it has appeared in any breach without exposing the password itself. The API returns counts; you decide what threshold counts as "compromised" (anything > 0 is bad; > 1 is definitively compromised).

• Email + password pair — the most dangerous combination. If the password is reused on other sites, attackers will try it (credential stuffing). This is why password reuse is the single highest-leverage security mistake.
• Email + plaintext password (Adobe 2013) — same risk, immediate exposure. Rotate any reuse of this password.
• Email + hashed password — depends on the hash. Unsalted SHA-1 (LinkedIn 2012) is GPU-crackable in hours. bcrypt with high cost factor (Dropbox) is much slower but rainbow tables for common passwords are precomputed.
• Email + phone (Twitter 2022 API bug) — used for SMS-based phishing and SIM swap targeting.
• Email + address / DOB / SSN (T-Mobile, Equifax) — identity theft material. Cannot be rotated like a password; harder to mitigate.
• Email alone — least-impact case, but spam-list inclusion. Most public emails end up on multiple spam lists eventually.

• You want to know which breaches have exposed your data, prioritized by severity, so you can act on the worst first.
• You are signing up for a new service and want to know if their domain has been breached recently before trusting them with new data.
• You are auditing a small team's email addresses and want to flag accounts that need urgent password rotation.
• You suspect a recent breach (your spam tripled, you got a 2FA prompt you did not initiate) and want to confirm against the public database.

• It will not show your actual leaked passwords. HIBP intentionally does not store plaintexts; you can check if a specific password is in the database but you cannot list "all passwords associated with my email". This is by design — making such a service available would be a one-stop shop for attackers.
• It will not catch every breach. The database covers public/widely-circulated breaches. Targeted attacks, ransomware-encrypted data that never went public, and breaches the affected company has not disclosed are not in HIBP. Absence of a breach record is not safety.
• It will not rotate your passwords for you. Tool reports breaches; you are still responsible for password rotation. Use a password manager to track which accounts share passwords with breached services and prioritize rotation.
• It will not check stolen-credential markets (Genesis, Russian Market). Those operate outside HIBP and require different tooling.