How to check if your email is in a data breach (and what to actually do)
Checking is free and takes 30 seconds. The follow-up is the part nobody talks about. Here's the full playbook.
Your email address is in a data breach. Almost certainly. Most emails that have existed for more than a year or two are in at least one, and the number goes up every month.
Finding out which breaches is easy. Doing the right thing with that information is where most people stop — which is the part that actually matters.
Here's the full playbook.
Step 1: Check Have I Been Pwned
haveibeenpwned.com is a free service run by security researcher Troy Hunt. It aggregates known data breaches from publicly-disclosed leaks. You type your email; it tells you every breach that email appears in and roughly what data was in each one.
Type your main email in. Hit the button. Read the list.
What you're looking for in the results:
- "Pwned in N data breaches" — the count. The average adult in 2026 is in 5-15. If you're in more than 20, you've been online a while.
- The breach list: each entry shows the service, the breach date, and what was exposed. The interesting column is "Compromised data" — it tells you if just your email leaked, or email + password, or email + password + DOB + security questions, etc.
- "Sensitive breaches" — some breaches aren't shown publicly because HIBP considers them too embarrassing (Ashley Madison, adult sites, etc.). These still count against you; you just can't see them unless you verify ownership of the email.
Step 2: Separate the three kinds of breach
Not every breach needs a response. You're triaging three buckets:
Bucket A — Email only. The breach exposed addresses but no passwords. These are annoying (data brokers use them for targeted phishing) but they don't compromise any account. Most marketing-list breaches are Bucket A.
Action: Note the site. Assume this address is now "burned" for any future security purpose. Do not re-use this address for signing up to security-sensitive services.
Bucket B — Email + password. The breach exposed addresses paired with either the password itself or a hash of it. Old breaches often leaked plaintext passwords; newer ones usually leaked weak hashes (MD5, unsalted SHA1) that have been cracked.
Action: Change the password for the breached service and any other service where you used the same password. This is the one you must not skip.
Bucket C — Email + credentials + identity data. The breach exposed your email along with DOB, address, phone, security questions, SSN, passport, or similar. These let attackers take over adjacent accounts via "password recovery" or impersonate you to customer support.
Action: See Step 4 below. This one is serious.
Step 3: Change passwords — properly
For every Bucket B service, change the password. For every other service where you reused that password, change it too.
"Reused that password" is doing a lot of work. If your mental model is "I only reuse one password for unimportant stuff", you're about to realize that some of those "unimportant" accounts are actually load-bearing: the one that has your billing address, the one that's a password-reset hop to your main email, the one with your credit card saved.
The only real fix is a password manager. Bitwarden (free, open-source), 1Password, and Dashlane are all fine. Spend an afternoon, import your passwords from the browser, set the manager to force unique per-site passwords going forward. Never reuse a password again. This single change makes you mostly immune to credential-stuffing, which is how breaches turn into account takeovers.
Step 4: If identity data leaked (Bucket C)
Bucket C is the dangerous one. If your DOB, address, phone, passport, or SSN/tax file number is in a breach, you need to:
- Freeze your credit. In most countries this is free, online, and immediate. In the US: Equifax, Experian, TransUnion. In the UK: Experian, Equifax, TransUnion. Australia: Equifax, Experian, illion. This stops new accounts being opened in your name.
- Enable account-lock / fraud alert on anything that offers it. Many banks offer an extra "verify new device" step you can opt into.
- Change answers to security questions on any account that still uses them. Security questions are effectively passwords; leaked ones work exactly like leaked passwords. (Use random strings and store them in your password manager — there's no rule that your first pet has to be a real pet.)
- Watch your credit report for 3-6 months. Most identity fraud shows up within that window.
- Request your file from any data broker implicated (several US brokers are required by law to let you opt out).
Step 5: Enable 2FA on the accounts that matter
For any account you care about — primary email, password manager, bank, exchange, social — enable 2FA. Prefer:
- Hardware security key (YubiKey, Titan) — the strongest option.
- TOTP app (Authy, Aegis, 1Password's built-in) — very strong.
- Passkey / WebAuthn — strong and convenient where supported.
- SMS 2FA — better than nothing, but vulnerable to SIM swap attacks. Avoid for banks and exchanges.
Do not use the breached email as your 2FA recovery address if you have a better option. (Related: if your primary email is breached, consider whether it's still worth using.)
Step 6: Stop the next one
Everything above is reactive. You did a breach audit, cleaned up, locked down. Now consider that you're going to be in another breach within twelve months. What can you do proactively?
This is where email aliases enter.
The single most useful thing you can do — more useful than any single action above — is to stop giving sites your real email. Use an email alias for every signup. Different alias per site.
Why this changes the math:
- When a breach happens, it's a breach of one alias, not your real address. You kill the alias. The leaked-to-every-phishing-list address is dead within minutes.
- You know exactly which site leaked. Your
target@you.comalias starts getting unrelated phishing? Target leaked. You can't get this clarity any other way. - Password-reuse becomes less catastrophic, because the email is per-site too. A "email + password" breach from one site can't be credential-stuffed at other sites — the other sites have a different email.
- Phishing is neutralized. Phishers buy leaked lists and send "urgent" emails impersonating the breached brand. If the address they're phishing is dead, the phish never arrives.
You'll still want password managers, 2FA, and credit freezes. Aliases are the prevention layer that sits above all of that and lets you contain any single breach to one alias.
A different email for every site. So the next breach is somebody else's problem.
Generate unlimited aliases. Kill them when a site leaks. Free forever.
Get started →Quick reference
If you read nothing else:
- Check haveibeenpwned.com today.
- If a password leaked, change it here and everywhere you reused it. Get a password manager.
- If identity data leaked, freeze your credit.
- Enable 2FA on everything that matters.
- Use aliases for everything new. Make the next breach irrelevant.
Related reading
- How email tracking pixels work — the other half of the surveillance picture.
- I gave 10 sites my real email — here's the first 7 days of spam — what a fresh address goes through even without a breach.
- Why your inbox is everyone else's billboard — the framing piece.