How to Check If Your Password Was Leaked
Checking If Your Password Was Leaked
Data breaches happen regularly, and your email address or password may have been exposed without you knowing. Here is how to check and what to do about it.
What Is a Data Breach?
A data breach occurs when hackers steal information from a company's database. This can include:
- Email addresses
- Passwords (sometimes encrypted, sometimes not)
- Names and personal details
- Credit card information
Using Have I Been Pwned
Have I Been Pwned (HIBP) is a free, trusted service that checks if your email appears in known data breaches.
Check Your Email Address
- Go to haveibeenpwned.com
- Enter your email address
- Click pwned?
- Review the results
- Your email was not found in known breaches
- This does not mean you are completely safe, but it is a good sign
- Your email appeared in one or more data breaches
- Scroll down to see which breaches included your data
- Check what data was exposed (passwords, names, etc.)
Check Your Password
- Go to haveibeenpwned.com/Passwords
- Enter a password you use
- Click pwned?
If not found: The password has not appeared in known breaches, but that does not mean it is strong.
Is it safe to enter my password here?
Yes. HIBP uses a technique called k-anonymity. Your full password is never sent to their servers — only a partial hash that cannot be reversed.
Using Google Password Checkup
If you save passwords in Google Chrome:
- Go to passwords.google.com
- Sign in to your Google account
- Click Go to Password Checkup
- Click Check passwords
- Review any compromised, reused, or weak passwords
Using Microsoft Password Monitor
If you use Microsoft Edge:
- Click the three dots menu → Settings
- Click Profiles → Passwords
- Toggle on Show alerts when passwords are found in an online leak
- Edge will notify you if saved passwords appear in breaches
What to Do If Your Password Was Leaked
Step 1: Change the Password Immediately
Change the password on:
- The breached site
- Any other site where you used the same password
Step 2: Use a Unique Password
Create a new, unique password for each account. Never reuse passwords between sites.
Good password tips:
- At least 12 characters
- Mix of letters, numbers, and symbols
- Consider a passphrase like "Purple-Elephant-Rides-Bicycles-42"
Step 3: Enable Two-Factor Authentication
Add 2FA/MFA wherever possible. Even if your password is stolen, attackers cannot access your account without the second factor.
Step 4: Use a Password Manager
Password managers like:
- Microsoft Authenticator (free)
- 1Password
- Bitwarden (free)
- LastPass
Set Up Breach Notifications
Have I Been Pwned Notifications
- Go to haveibeenpwned.com
- Click Notify me
- Enter your email address
- Verify your email
- You will receive alerts if your email appears in future breaches
Domain-Wide Monitoring
Business owners can monitor all email addresses on their domain:
- Go to haveibeenpwned.com/DomainSearch
- Verify domain ownership
- Receive alerts for any breach involving your domain's email addresses
Common Breaches and What They Mean
LinkedIn (2021)
- 700 million records scraped
- Email addresses, names, job titles exposed
- Passwords were NOT included
Adobe (2013)
- 153 million accounts
- Encrypted passwords exposed (many have been cracked)
- Change any password from 2013 or earlier
Canva (2019)
- 137 million users
- Usernames and encrypted passwords
- Change your Canva password
Staying Safe Going Forward
Regular checks:
- Check haveibeenpwned.com monthly
- Review your password manager for weak/reused passwords
- Unique password for every account
- Enable 2FA on all important accounts
- Use a password manager
- Update passwords for critical accounts annually
Need Help?
If you discover your accounts have been compromised, contact helpdesk@netlumait.com.au or call 1300 521 162 for assistance securing your accounts.
Was this article helpful?
Still Need Help?
If you are still having trouble, our support team is here to help.