Your email showed up in a breach. Here's what that means.

Have I Been Pwned (HIBP) is a trusted security tool that tracks data breaches. If your email appeared in their database, here's how to understand your risk and respond appropriately.

First: Check what was exposed

Not all breaches are equal. HIBP shows you exactly what data was compromised in each breach. If you haven't checked yet:

Check your email at haveibeenpwned.com

Is Have I Been Pwned trustworthy?

Yes. HIBP was created by Troy Hunt, a respected security researcher and Microsoft Regional Director. The site doesn't store your email—it just checks if your email hash matches known breach data. It's widely recommended by security professionals and even government agencies.

Response based on what was exposed

Email address only

Stay vigilant

Your email was exposed, but no passwords or personal data.

Watch for phishing emails—attackers know this email is active
Consider using email aliases for new accounts
Optional: Freeze credit as a precaution

Email + Password

Act now

Your login credentials were exposed. Attackers try leaked passwords on other sites.

Change the password for the breached service immediately
Change it everywhere you reused it—this is critical
Enable 2FA on your email and financial accounts
Use a password manager going forward

SSN, financial data, or personal details

Full protection needed

Sensitive data that can be used for identity theft was exposed.

Freeze credit at all three bureaus — see our guide
Get an IRS Identity Protection PIN
Create your Social Security online account
Set up credit monitoring

See our complete breach response guide for the full checklist.

Prevent future exposure

Use a password manager

Generate and store unique passwords for every account. Popular options: 1Password, Bitwarden, Apple Keychain.

Use email aliases

Services like SimpleLogin, Firefox Relay, or Apple's Hide My Email let you create unique addresses for each service. If one gets breached, the others stay clean.