How to Check If Your Email Has Been in a Data Breach

Published: 13 March 20268 min readBy ScanTotal Security Team
Last reviewed: 4 May 2026 by Kumari Rajapaksha, Founder, ScanTotal

A friend messaged me last year in a mild panic, she'd just found out her email and password from an old Dropbox account had been sitting on a leaked database for three years. She had no idea. The unsettling part? She'd been using that same password for her online banking. That's when it hit me how few people actually check whether their credentials have been compromised, even though it takes about thirty seconds.

The good news is you can check right now, and the steps to protect yourself are genuinely straightforward. No technical knowledge required.

What Is a Data Breach?

A data breach happens when hackers gain unauthorised access to a company's database containing user information. This can include your email address, password (sometimes in plain text, sometimes encrypted), real name, phone number, physical address, date of birth, and in some cases financial information like credit card numbers. Australians saw this firsthand with the Optus and Medibank breaches, millions of records exposed overnight, including Medicare numbers and sensitive health data.

Once stolen, this data is typically sold on dark web marketplaces or published publicly in data dumps. Attackers use it to try logging into other services with the same credentials (a technique called "credential stuffing"), send targeted phishing emails, commit identity theft, or sell the information to other criminals.

How to Check If Your Email Has Been Breached

The fastest and most trusted way to check is Have I Been Pwned (haveibeenpwned.com), a free service created by security researcher Troy Hunt. The site collects data from known breaches and lets you search by email address.

Step 1: Go to haveibeenpwned.com. This is a safe, widely trusted site recommended by security professionals and government agencies worldwide.

Step 2: Enter your email address and click "pwned?" The site will check your email against billions of breached records.

Step 3: Review the results. If your email has been in breaches, the site will list which ones, when they occurred, and what data was exposed (email, password, name, phone, etc.).

Don't be alarmed if you see several breaches, most people who've been using the internet for years have been caught in multiple breaches. What matters is what you do next.

You can also sign up for free breach notifications. Have I Been Pwned will email you if your address appears in any future breaches, so you can act quickly.

🔍 Want to check a domain or hash?

Use our Threat Intelligence Search to look up domains, IPs, and file hashes against security databases.

Search Threat Database, Free

What to Do If Your Email Has Been Breached

Change your password immediately for the breached service. If you used the same password anywhere else (which you shouldn't, but many people do), change it on those accounts too. This is the most urgent step. No exceptions.

Enable two-factor authentication on the breached account and all your important accounts. Even if an attacker has your password, 2FA blocks them from accessing your account. Read our full guide: What Is Two-Factor Authentication and Why You Need It.

Start using a password manager so every account has a unique, strong password. This way, when one service is breached (and they will be), only that one account is at risk. See our guide: How to Create Strong Passwords You Can Actually Remember.

Watch for phishing attempts. After a breach, attackers may use your leaked information to craft convincing phishing emails. Be extra cautious about emails claiming to be from the breached company or asking you to "verify" your account.

Monitor your financial accounts if the breach included financial data. Check bank statements for unauthorised transactions. Consider placing a fraud alert on your credit report if sensitive information like your Tax File Number or Social Security number was exposed.

I cannot stress this enough, if you are still reusing the same password across multiple accounts in 2026, you are essentially handing attackers the keys to your entire digital life the moment any single service gets breached. It's the one habit that turns a minor incident into a catastrophe, and it's completely avoidable with a password manager. There is no good reason not to use one.

How to Protect Yourself from Future Breaches

You can't prevent companies from being breached, that's outside your control. But you can minimise the damage when breaches happen. Use unique passwords for every account so one breach doesn't compromise others. Enable two-factor authentication everywhere. Use a dedicated email for sensitive accounts like banking and keep a separate one for newsletters, shopping, and sign-ups, I personally keep three email addresses for exactly this reason, and it's saved me more than once when a shopping site got compromised. Minimise the personal information you share with online services, if a field isn't required, don't fill it in. Keep software updated because breaches sometimes exploit known vulnerabilities.

The key principle is damage containment. Assume that any service you use could be breached, and structure your security so that a single breach has minimal impact.

Frequently Asked Questions

What is a data breach?

A data breach occurs when unauthorized people access a company's database containing user information, emails, passwords, names, and other personal data. They happen through hacking, misconfigured servers, insider threats, or software vulnerabilities.

Is Have I Been Pwned safe to use?

Yes. It's a trusted, free service by security researcher Troy Hunt. It doesn't store or expose your password, it only checks if your email appears in known breach databases. Recommended by security professionals worldwide.

How often do data breaches happen?

Constantly. Thousands of breaches occur each year, exposing billions of records. Major companies like LinkedIn, Facebook, Yahoo, and Marriott have all been breached. Most long-time internet users have been affected multiple times.

Should I change my password after a data breach?

Yes, immediately. Change the password for the breached service and any other account where you used the same password. Enable two-factor authentication and monitor for unauthorized activity.

What It Comes Down To

Go check haveibeenpwned.com right now, seriously, open a new tab and do it before you forget. Then set up a password manager this weekend, turn on two-factor authentication for your email and banking, and sign up for breach notifications. It's maybe an hour of work that protects you for years. My friend who got caught out? She did all of this the same day I showed her, and when another breach hit a service she used six months later, the damage was zero because every password was unique. That's the whole point.

Data Breach Email Security Password Safety Cybersecurity Online Safety

Want to check what threats are linked to a domain or IP?

Search our threat intelligence database for indicators of compromise, free and instant.

Search Threat Intelligence

Sources & Further Reading

Related Articles

How to Create Strong Passwords
Update your passwords straight after finding a breach.
Two-Factor Authentication (2FA)
Enable 2FA immediately on any compromised account.
What Is Phishing?
Breached email addresses are frequently targeted in phishing campaigns.