How to Check If Your Email Was Exposed in a Data Breach

Why You Should Do This

The average internet user's primary email address has appeared in 7-12 data breaches by their late twenties. Each breach exposed at minimum your email address, often a hashed (sometimes plaintext) password, and frequently your name, IP at signup, and other profile data. Checking which breaches you're in tells you (1) which passwords to rotate urgently, (2) which old accounts to delete, and (3) where to expect targeted phishing in the coming months.

Step 1: Have I Been Pwned

Visit haveibeenpwned.com. Enter your email. The site returns a list of breaches your address appears in, with breach dates, types of data exposed, and brief context. HIBP is run by security researcher Troy Hunt, has been operating for over a decade, and is the de facto authoritative source for breach disclosure.

Do this for every email address you've ever used — current, old, work, school. Old addresses often have the most exposures because they've been sitting on dumps for longer.

Step 2: Mozilla Monitor

Mozilla Monitor (formerly Firefox Monitor) at monitor.mozilla.org uses the same HIBP data but adds: free continuous monitoring with email alerts when new breaches appear, and a paid tier that scans data-broker sites to remove your information. Sign up with a stable email so the alerts have somewhere to land.

Step 3: Google's Password Checkup

If you use Google Password Manager (built into Chrome), the Password Checkup feature compares your saved passwords against Google's leaked-credentials database. Visit passwords.google.com/checkup while signed in. It surfaces:

• Compromised passwords (exposed in a known breach — rotate immediately)
• Reused passwords (one breach = many accounts compromised — make each unique)
• Weak passwords (easy to brute-force — strengthen)

Step 4: Apple iCloud Keychain Recommendations

On macOS and iOS, Safari's iCloud Keychain shows security recommendations in Settings → Passwords → Security Recommendations. Same idea as Google's Password Checkup but for Apple users.

Step 5: 1Password Watchtower, Bitwarden Reports

Paid password managers have their own breach-detection dashboards. 1Password's Watchtower and Bitwarden's Reports both surface breached accounts, reused passwords, and weak passwords. If you're already paying for a password manager, use these features — they're more proactive than checking manually.

What to Do With the Results

1. Change the password on every account flagged as compromised. Use a password manager to generate a unique one per account.
2. Enable 2FA on the account. App-based 2FA (Authy, Google Authenticator) beats SMS-based.
3. Delete accounts you don't use — the smaller your account surface, the smaller the future breach exposure.
4. Watch for targeted phishing — breaches expose context (your name, the site you used, the date) that scammers weave into convincing phishing emails.
5. Consider a fresh email for the most-exposed addresses, with the old one set to forward for six months. Then abandon the old.

What Not to Do

• Don't pay 'data-breach removal' services that promise to scrub your data. They mostly can't — breach data is in too many places.
• Don't ignore old breaches just because they're old. A 2014 breach is still actively used by attackers; password-spray attacks rotate through old credential dumps daily.
• Don't enter your password into a breach-check site. HIBP's password check uses a hashed-prefix protocol that never reveals your actual password — but copycat sites might not.

Related Guides

See also: Data breach defense article, 7-step spam reduction plan, and 2FA setup guide.