Password managers

How to check if your password or email has been leaked

By Iulian · Published 4 June 2026

Some links on this page may be affiliate links. If you buy through them we may earn a small commission, at no extra cost to you. We only recommend tools we believe are genuinely worth it. Learn more.

Companies get hacked all the time, and when they do, their users’ email addresses and passwords often end up dumped online. Criminals then take those leaked details and try them on other sites, banking on the fact that most people reuse passwords. This trick is called credential stuffing, and it’s why a leak at one company can put all your accounts at risk. The good news: you can check whether you’ve been caught up in a known breach in about a minute.

Replacing a leaked password? Test the new one with our password strength checker before you save it — it shows how long it would take to crack, right in your browser.

Check your email with Have I Been Pwned

The best-known tool is Have I Been Pwned (haveibeenpwned.com). It’s free, it’s run by a respected security researcher, and it’s trusted enough that browsers and even some governments use its data.

  1. Go to haveibeenpwned.com.
  2. Type in your email address and search.
  3. It tells you whether your address has appeared in any known data breaches, and which ones.

You’re only entering an email address, not a password, so it’s safe to use. If you want, you can also sign up to be notified automatically if your email turns up in a future breach.

Checking a password

Have I Been Pwned also has a “Pwned Passwords” feature that tells you if a specific password has appeared in breaches. It’s built so the site never actually sees your full password. Most password managers and modern browsers (like Chrome’s Password Checkup and Apple’s security recommendations) now do this for you in the background and flag any weak or leaked passwords automatically.

Check a password right now: our free breach checker uses that same Pwned Passwords data — privately, in your browser. Only a partial fingerprint is ever sent, never your password, and it shows exactly how many times a password has turned up in breaches.

Other ways to check

Have I Been Pwned is the best known, but it is not the only option:

  • Mozilla Monitor (formerly Firefox Monitor) gives a friendly breach report and also offers paid data-removal. It draws on the same underlying breach data.
  • Your browser or password manager. Chrome’s Password Checkup, Apple’s compromised-password alerts, and managers like Bitwarden and 1Password all flag leaked passwords for you automatically in the background.
  • NextDNS and some security suites include breach monitoring too.

Use whichever suits you. Most of them lean on the same breach databases, so the main thing is simply that you check.

What to do if you’ve been breached

Seeing your email in a breach is common and not a disaster, but act on it:

  1. Change the password for any breached account straight away.
  2. Change it anywhere you reused it. This is the important one, and it’s exactly why reusing passwords is so risky.
  3. Turn on two-factor authentication on those accounts, especially your email.
  4. Switch to a password manager so every account gets its own unique password from now on. See how to set up a password manager.

Start with your email account. If your email password has leaked and you've reused it, a criminal can reset the passwords on everything else. Fix that one first.

If a breach leads to a scam or money being taken, our guide on what to do if you’ve been scammed walks through the urgent steps. More in our password section.