Back to blog
Password Security
6 min

How to Check If Your Password Has Been Leaked

Learn how to find out if your passwords were exposed in a data breach. Step-by-step guide to using Have I Been Pwned, Google Password Checkup, and what to do if your credentials are compromised.

LOCK.PUB
2026-01-05
How to Check If Your Password Has Been Leaked

How to Check If Your Password Has Been Leaked

Data breaches happen constantly. Major companies, small apps, and online services get hacked, and millions of usernames and passwords end up circulating on the dark web. The unsettling truth is that some of your credentials may already be out there — and you might not know it.

This guide walks you through how to check whether your passwords have been exposed, which tools to trust, and exactly what to do if you find a compromised account.

Why You Should Check for Leaked Passwords

When a company suffers a data breach, the stolen data often includes email addresses and hashed (or sometimes plaintext) passwords. Attackers use this data for:

  • Credential stuffing — Trying your leaked email/password combo on hundreds of other sites
  • Targeted attacks — Using your information to craft phishing emails
  • Account takeover — Accessing your email, banking, or social media accounts directly

If you reuse passwords across services, a single breach can cascade into a much larger problem.

Tool 1: Have I Been Pwned (HIBP)

Have I Been Pwned is the most widely trusted breach-checking service, created by security researcher Troy Hunt. It aggregates data from known breaches and lets you search by email address.

How to use it

  1. Go to haveibeenpwned.com
  2. Enter your email address
  3. Click "pwned?"
  4. Review the list of breaches your email appeared in

What the results mean

  • Green ("No pwnage found") — Your email was not found in any known breach databases
  • Red ("Oh no — pwned!") — Your email appeared in one or more breaches. The page lists which services were breached and what data was exposed (email, password hash, IP address, etc.)

Password-specific check

HIBP also has a Pwned Passwords section where you can check if a specific password has appeared in any breach. This uses a technique called k-anonymity — only a partial hash is sent to the server, so your full password is never transmitted.

Tool 2: Google Password Checkup

If you use Google Chrome or have a Google account, Google's Password Checkup is built into your workflow.

How to use it

  1. Go to passwords.google.com
  2. Sign in with your Google account
  3. Click "Go to Password Checkup"
  4. Click "Check passwords"

Google will scan all saved passwords and flag any that:

  • Appeared in known data breaches
  • Are reused across multiple sites
  • Are considered weak

Advantages

  • Automatically checks passwords saved in Chrome
  • Provides direct links to change compromised passwords
  • Runs continuously in the background if you use Chrome

Tool 3: Built-in Browser and OS Checks

Apple (Safari / iCloud Keychain)

  • Go to Settings > Passwords on iPhone/iPad or System Settings > Passwords on Mac
  • Compromised passwords are flagged with a warning icon
  • Apple checks your passwords against known breach databases automatically

Firefox Monitor

  • Visit monitor.firefox.com
  • Enter your email to check for breaches
  • Sign up for alerts when new breaches include your email

What to Do If Your Password Was Leaked

Finding your credentials in a breach can be alarming, but the steps to fix it are straightforward.

Step 1: Change the compromised password immediately

Log into the affected service and change your password. Use a strong, unique password — at least 12 characters, ideally a passphrase.

Step 2: Change it everywhere you reused it

If you used the same password on other sites, change it on every single one. This is the most critical step, because attackers try leaked credentials across many services automatically.

Step 3: Enable two-factor authentication (2FA)

Turn on 2FA for the affected account and any other important accounts. An authenticator app (like Google Authenticator, Authy, or a hardware key) is more secure than SMS-based 2FA.

Step 4: Check for unauthorized activity

Review recent login history, connected devices, and account activity. Look for:

  • Logins from unfamiliar locations or devices
  • Changes to account settings (email, phone number, recovery options)
  • Unauthorized purchases or messages

Step 5: Consider a password manager

If this breach exposed a password you use across multiple services, it is a clear sign to adopt a password manager. Tools like 1Password, Bitwarden, or built-in browser managers generate unique passwords for every account.

How to Prevent Future Leaks

Practice Why It Helps
Use unique passwords for every account Limits damage to one service per breach
Enable 2FA on all important accounts Stops attackers even if they have your password
Use a password manager Makes unique passwords practical
Monitor your email with HIBP alerts Get notified as soon as a new breach includes you
Never share passwords in plain text Prevents credentials from sitting in chat histories

That last point matters more than people realize. Sending a password through Messenger or iMessage means it lives in a chat log indefinitely. If you need to share credentials, use a service like LOCK.PUB to create a password-protected memo with an expiration time. The information disappears after the set period.

How Often Should You Check?

  • Set up HIBP email notifications — You will receive an alert any time your email appears in a new breach
  • Run Google Password Checkup every 3-6 months if you use Chrome
  • Review Apple/Firefox breach warnings when they appear in your settings

Do not wait for a suspicious login notification. Proactive checking is far more effective than reacting after damage has been done.

Common Questions

Is Have I Been Pwned safe to use?

Yes. HIBP is run by Troy Hunt, a respected security researcher. The service does not store your searches, and the Pwned Passwords feature uses k-anonymity so your full password is never sent to the server.

What if my email is in a breach but I have already changed my password?

Your email will still show up in historical breach records. As long as you have changed the password since the breach date and are not reusing it elsewhere, you are protected.

Can I remove my data from breach databases?

No. Once data has been leaked, it cannot be pulled back. The only effective response is to change your credentials and enable additional security measures.

Take Action Now

Check your email at haveibeenpwned.com right now. If any accounts are compromised, change those passwords today. And if you need to share new credentials securely, create a secret memo on LOCK.PUB with an expiration — keep passwords out of chat histories.

Create a Secret Memo -->

Keywords

have i been pwned
check password leak
password breach check
data breach
compromised password
password security check

You might also like

How to Share Legal Documents Securely with Your Lawyer

Learn safe methods for sharing contracts, court filings, NDAs, and sensitive legal documents with attorneys and other parties without compromising confidentiality.

Secure Sharing

How to Share Passwords With Family After You Die — A Digital Legacy Guide

What happens to your passwords, accounts, and digital assets when you pass away? A practical guide to digital legacy planning so your family isn't locked out.

Family Safety

Secret Audio Sharing Guide: How to Send Audio Files Safely with Password Protection

Learn how to securely share voice messages, recordings, music demos, and podcast previews with password protection using LOCK.PUB's secret audio feature.

Feature Guide

Create your password-protected link now

Create password-protected links, secret memos, and encrypted chats for free.

Get Started Free
How to Check If Your Password Has Been Leaked | LOCK.PUB Blog