Email Breach Check
Check whether your email address has appeared in a publicly known data breach. We use a k-anonymity model - Only the first 5 characters of a hashed version of your email are ever sent to any external service. Your full email address stays private.
What To Do If Your Email Was Breached
Finding your email in a breach is alarming, but swift action limits the damage. To understand how these incidents happen in the first place, read our guide on what a data breach is. Follow this checklist:
- Change your password immediately on the affected service and any other site where you reused that password.
- Enable two-factor authentication (2FA) on the affected account and ideally on all important accounts.
- Use a unique password per site - A password manager like Bitwarden or 1Password makes this easy.
- Watch for phishing emails that may reference information from the breach to appear legitimate.
- Check your financial accounts if payment card data was exposed.
- Monitor your credit if personal details like your name, address, or SSN were included.
- Report suspicious activity to the breached service and, if financial fraud occurred, to your bank.
How We Protect Your Privacy
The same k-anonymity technique can also be used for passwords - Our FAQ explains how to check if a password was breached.
| Step | What Happens |
|---|---|
| 1 | Your email is hashed using SHA-1. |
| 2 | Only the first 5 characters of the hash are sent to the breach database API. |
| 3 | The API returns a list of hash suffixes - Never any email addresses. |
| 4 | We check whether your full hash matches any in the returned list - Entirely on our server. |
| 5 | Your full email address never leaves your browser in plain text. |
ⓘ All breach data sourced from haveibeenpwned.com by Troy Hunt, used under the HIBP API.
Frequently Asked Questions
What should I do if my email appears in a data breach?
Change the password on the breached site immediately, and on any other account where you reused the same password. Enable two-factor authentication on important accounts such as email and banking. Watch for targeted phishing - Attackers know which service leaked your address. A password manager makes it practical to use a unique password for every account.
Is it safe to enter my email into a breach checker?
Yes. This checker uses a k-anonymity technique: your address is hashed, and only a short prefix of the hash is sent to the external breach database. The database returns every matching suffix, and the final comparison happens on our side, so your full email address is never transmitted to any third-party API, stored, or logged.
Can my data be removed from a breach?
No. Once a breach is published, copies of the data circulate on forums and dark web markets indefinitely, and no service can recall them. The realistic response is damage control: change exposed passwords, enable two-factor authentication, and treat the leaked details - Email, phone, address - As information attackers may use in future phishing or impersonation attempts.