How to know if your email has been hacked (Have I Been Pwned)
Nicolas,
Every year, billions of email addresses and passwords are stolen in massive data breaches at companies around the world. Most victims never find out — until the day their bank account is emptied, their identity stolen or their inbox used to send spam. Your email address may already have been compromised without you knowing it. Here is how to check in a matter of seconds and what to do if that is the case.
What is a data breach?
A data breach occurs when cybercriminals manage to break into a company's computer systems and steal the personal data of its users. This data typically includes email addresses, passwords (sometimes in plain text, sometimes encrypted), phone numbers, postal addresses and sometimes even banking information.
This stolen data is then sold on the dark web, used for targeted phishing attacks or exploited directly to access victims' accounts on other services where they use the same password.
Key takeaway: even if you have never been directly hacked, your email address may have been compromised in a breach at a third-party service you use — a social network, online shop, forum, app...
What is Have I Been Pwned?
Have I Been Pwned (HIBP) is a free service created in 2013 by Australian security researcher Troy Hunt. It aggregates data from hundreds of known data breaches and allows you to check in seconds whether your email address or password appears in these compromised databases.
The name "Have I Been Pwned" is a reference to the hacker slang term "pwned" (a distortion of "owned"), used to mean that a system or account has been compromised.
Today, Have I Been Pwned lists more than 12 billion compromised accounts from over 700 major data breaches, including LinkedIn, Adobe, Dropbox, Yahoo, Facebook and many more.
How to use Have I Been Pwned?
The check is simple, fast and completely free:
- Step 1: go to haveibeenpwned.com
- Step 2: enter your email address in the search field
- Step 3: click "pwned?" to run the check
- Step 4: the site tells you whether your email appears in known breaches and which ones
If your email address has been compromised, the site displays in red the list of breaches in which it appears, with the date of each breach and the types of data exposed. If it is safe, the result is displayed in green.
Good to know: Have I Been Pwned does not store passwords in plain text. The service uses a hashing process (k-anonymity) to check whether your password is compromised without ever transmitting it in full over the internet.
The biggest data breaches on record
| Breached service | Year | Accounts compromised | Data exposed |
|---|---|---|---|
| Yahoo | 2013-2014 | 3 billion | Emails, passwords, security questions |
| 2012 / 2021 | 700 million | Emails, passwords, professional data | |
| 2019 | 533 million | Phone numbers, emails, location | |
| Adobe | 2013 | 153 million | Emails, encrypted passwords |
| Dropbox | 2012 | 68 million | Emails, hashed passwords |
| Twitter/X | 2022 | 400 million | Emails, phone numbers |
What signs indicate your email has been hacked?
Beyond checking on Have I Been Pwned, certain signs should put you on alert:
- You receive registration confirmation emails for services you never signed up for
- Your contacts receive spam that appears to come from your email address
- You can no longer log in to your inbox with your usual password
- You receive login alerts from unknown countries or devices
- Unauthorised purchases or actions appear on accounts linked to your email
- Your Sent folder contains messages you did not write
What to do if your email has been compromised?
1. Change your password immediately
If your email appears in a data breach, change your password without delay on the affected service AND on every other service where you use the same password. This is the first action to take.
2. Enable two-factor authentication (2FA)
Two-factor authentication adds an extra layer of security: even if a hacker knows your password, they will not be able to access your account without the temporary code sent to your phone.
3. Use a password manager
A password manager (Bitwarden, 1Password, Dashlane...) allows you to create and store unique, complex passwords for each service, eliminating the risk associated with password reuse.
4. Check your other accounts
If your email has been compromised, immediately check all accounts linked to that address: social networks, banks, online shops, streaming services... Change the passwords on all important accounts.
5. Enable Have I Been Pwned alerts
Have I Been Pwned offers a free email alert service: you will be automatically notified if your email address appears in a new data breach detected by the service.
6. Report to the relevant authority if necessary
If you are the victim of identity theft or fraudulent use of your personal data, you can report the incident to your national data protection authority — such as the ICO in the UK or the FTC in the US.
How to create a truly secure password?
A good password must meet these criteria:
| Criteria | Recommendation | Example |
|---|---|---|
| Length | Minimum 12 characters | The longer the better |
| Complexity | Uppercase, lowercase, numbers, symbols | K#9mP!xL2qR$ |
| Uniqueness | A different password for each service | Never the same twice |
| Unpredictability | No dictionary words, no personal data | No date of birth |
Alternatives to Have I Been Pwned
Other services allow you to check whether your data has been compromised:
- DeHashed — very comprehensive database, some paid features
- Firefox Monitor — Mozilla's service based on Have I Been Pwned data
- Google Password Checkup — built into your Google account, checks your saved passwords
- Leaked.site — an alternative with a simple and free interface
Your email is safe? Keep it that way
Knowing whether your email has been compromised is one thing, but adopting good cybersecurity habits to prevent it from happening again is another. The rules are simple: a unique password for each service, two-factor authentication wherever possible, and regular checks on Have I Been Pwned.
In a world where data breaches have become almost a daily occurrence, vigilance is no longer optional — it is a necessity. Take two minutes now to check your email address: it is one of the most important actions you can take to protect your digital identity.
Good to know: Have I Been Pwned is used by governments, businesses and millions of individuals worldwide. Its creator Troy Hunt regularly collaborates with law enforcement agencies to analyse data breaches and alert victims.