Use this feature to check if your email address, phone number, or password has ever been compromised from an online service and leaked public by criminals.
Our search function allows you to check details for over 11 billion accounts compromised from 522 confirmed breached websites.
Data breaches have been going on since the Internet has been in public use, and the number of breaches increases each year. In 2020 alone, nearly 4,000 individual data (emails, passwords, phone numbers etc.) breaches were publicly reported, which resulted in billions of records containing personal data being compromised. Source: https://www.varonis.com/blog/data-breach-statistics
The statistics show that the average time for a breach to be identified as 228 days means attackers could potentially use stolen personal data for over seven months before the theft of that data was known. One way for individuals to limit the potential impact of data breaches is to check to see if their details have been compromised.
The Have I Been Pwned website has collated stolen personal information about emails and other data compromised that has appeared on the Internet that you can check using our simple search function. You can check to see if your email address is compromised and part of one of the many leaked breaches datasets and see if any of your passwords have been compromised (pwned). Our search facility accesses the database of aggregated breach data and makes it easy to understand the risks that you may face if you are affected.
Remember, if the search results show that your personal information like email or password has been compromised, don't panic.
Not all stolen personal data is included in the database we use. Only compromised leaked personal data that attackers have published on public-facing internet sites and identified as being credible is included. Criminals will usually not publish high-value personal data such as credit card details until they have attempted to exploit the information for fraudulent purposes. Often, stolen data is never revealed, especially if the thieves are a foreign state agency rather than common criminals. Data stolen from recent breaches may also not be published right away. This is why it is essential to follow good security practices, even if the search results give the all-clear for your email address.
Also, not all usernames are unique. If the username for an online service is not an individual email address, then there is a chance that someone else may have chosen a username that you regularly use. This can result in your username being listed against a breached service that you have never knowingly used.
The data breach database demonstrates just how common it is for users to choose and reuse weak passwords that are easy to guess or crack. A look at the most common passwords in the database reveals just how easy we make it for the hackers; “123456”, “111111”, and “password” are all in the top 10.
The problem is with us; humans are not built to remember dozens of different complex passwords from memory infrequently. Research by a password manager provider in 2020 reported that the average person in the US had around a hundred different passwords to remember. So, it’s no wonder that people employ the same password across various accounts or resort to using simple to guess passwords associated with family or pet names. Before social media, passwords based on such words offered a moderate level of security as this information would be unknown to strangers. Now that everyone posts photos and updates online, even obscure information such as a pet’s name is now out in the open for a hacker to find in seconds.
The official advice for passwords was always to use long strings of characters that included upper and lower case letters, numbers, special symbols. The guidance was also that these passwords should be changed regularly to increase security. The idea was that this would protect against dictionary attacks by making the time needed by a hacker to guess the password sufficiently long that it would deter them from trying. A dictionary attack is simply using a computer to try every word that appears in a dictionary for the user’s preferred language. Most languages have a limited number of words, so this process is relatively fast. Even if all possible combinations of the upper and lower case letters are used, or typical number to letter substitutions (1 replaces an ‘L,’ 5 replaces an ‘S’) are considered. Even for countries with multiple possible languages, checking two or three different dictionaries will only take around two or three times longer.
In the meantime, computing power has increased to the point where trying every possible character combination of a short password string can be completed reasonably quickly to effectively make random letters no more secure than a word from the dictionary. Increasing the password length will counter this but make the password even more difficult to remember. Meanwhile, in a few years, computing power will have improved to the point where password length needs to be increased again. Thus, there will only be one winner in the race of human memory versus computing throughput, and it isn’t us. Indeed, quantum computing developments may well see a dramatic step-change in processing speeds that make passwords, as we know them, too insecure. When this happens, it will probably be best to skip straight to the section covering password managers.
The latest advice is to simply create a password from three or four unrelated words. This is far simpler to remember and just as secure as random characters. Which of these do you think you could recall in a couple of weeks...?
The only problem is that technology is lagging behind the advice. For example, some websites and services are still insistent that passwords include upper and lower case letters, numbers, special symbols.
When users are forced to create passwords that comply with complicated automated rules, human nature is to look for a shortcut. So they devise a method that meets all the constraints but is often less secure than if they were free to use a password of choice.
For example, “Password1!” will comply with the majority of password complexity rules, and websites will often report that it is “strong” because it follows their rules, but clearly, it’s not secure.
There are many reasons why passwords are compromised. Usually, because hackers have stolen information directly from users or from the services that the passwords relate to. Below are a few of the more common reasons that passwords end up in a breach database.
Malicious computer programs running on a user’s computer can monitor what the user is doing and recognize when a username and password are entered. Keylogging programs record what the user is typing and capture any passwords they provide to a service. Network monitoring programs can capture the password string when transmitted from the user’s device to a website or online service unless the traffic is adequately protected using encryption. These passive monitoring techniques allow hackers to remotely gather usernames and passwords risk-free for later use. Unless the presence of the malware is detected using security software or network monitoring techniques, passwords can be collected indefinitely.
One method used by hackers to collect access credentials is to set up a fake website that imitates a legitimate service and tricks visitors to the phony website into entering their username and password. The more devious hackers will seamlessly and transparently pass the access credentials onto the legitimate service, so the user is unaware that their login details have been compromised. This gives the hackers the ability to use the stolen credentials whenever they want at a future date. The challenge with this technique is to encourage users to visit their website. Often this technique is used in conjunction with phishing emails that link to the website. If the duped visitor is unlucky, they may be tricked into downloading malware while their login credentials are stolen.
Most online services have an option for the user to gain access if they have forgotten their password. Often just one click will result in an email being sent to the user with a new password clearly written in plain text. Anyone able to intercept the email traffic to the user can then take control of the account in seconds. Sometimes, the email will contain a link that needs to be clicked, allowing the user to change their password without knowing the old one. Again, a hacker able to intercept emails can use this to take control. With these options, online businesses are prioritizing easy access to their services over user security. In such cases, secure multi-factor authentication is essential to counter the weakness in the password reset mechanism.
We all have favorite passwords that we have used for years and are simple to remember even though they are reasonably complex. It’s easy to fall into the trap that it’s better to reuse this memorable password than create a new one that probably will not be as complex because we need to remember it. If the only threat was hackers trying to guess passwords using intelligence gleaned from social media or brute force attacks, this might be a valid argument. Unfortunately, passwords can also be compromised when the service that it relates to is attacked, and it turns out they haven’t stored the passwords as securely as they should have.
Some websites have been known to store passwords as plain text, meaning anyone hacking into the system can see everyone’s username and password with no further effort required. In addition, some websites correctly store the passwords using encryption and hashing techniques but do not use a sufficiently secure algorithm for the encryption or hashing process. This allows the hacker to reverse engineer the password from the stored version relatively quickly.
While storing unprotected passwords is frowned upon, it’s still not unknown for this to occur. The database of breached passwords is full of examples where the plain text passwords were stolen. Often this happens where websites are managed by people with insufficient IT knowledge to secure their systems. In practice, there is no reason why any system should ever store a password, whether that is in plain text or using some form of encryption. Services just need to validate that the password entered by the user is correct, which can be achieved by comparing a hash of the entered password with a stored hash.
There are lots of hashing algorithms available, though some are more secure than others. Weaknesses in the algorithms used have enabled sophisticated hackers to reverse engineer passwords from a hash copy. The Message Digest algorithm MD5 and Secure Hash Algorithm SHA-1 were in everyday use until relatively recently, and quite a few online services still use them. Unfortunately, flaws in the algorithms mean that the protection they offer is now considered relatively weak. Argon2id, scrypt, and bcrypt are considered the best hashing algorithms if they are configured correctly. Any website or online service that uses a password-based authentication mechanism should be more than happy to tell you which they operate. Beware the sites that keep this information secret, as they may be hiding the fact they use an insecure algorithm.
This issue can be prevalent in businesses where several staff members need access to a service, and for various reasons, the company only has one account. This is particularly common where licensing fees are on a per-account basis. Having one password known to multiple users increases the probability that it may be disclosed. Also, the plain text password is often shared between users using insecure methods such as email or text messages. Compromising an email or telephone account is far simpler than stealing and decoding a stored password.
Passwords will not be going away anytime soon. They are the only form of authentication that anyone can do with a basic computer with a keyboard, mouse, and monitor. Unfortunately, all the alternatives, such as biometrics, rely on technology that is not available to millions of computer users.
One solution to password weakness is to combine passwords with other means to prove you are who you are. This means that if a password is compromised, the user’s account will often remain secure, allowing the user to change the password before any harm is done.
Multi-factor authentication requires independence between the different information used to log onto a service to be secure. Usually, it should be two things from the list of something you know, something you have, and something you are. Here, the password is something you know. The something you have is typically an authenticator app on a smartphone. The something you are generally is a fingerprint reader or face scanner.
Multi-factor authentication works well in countries where smartphone ownership is almost universal. In addition, these devices include the technology as standard to perform at least one of these functions, with the advantage that if the smartphone is lost or stolen, chances are the user would know straight away, giving a third party little time to try and use the device maliciously. After all, how often do you look at your smartphone?
Something to watch out for is that some websites give an illusion of robust security by asking the user for a password and then specific characters from a memorable word. This is no different than having two passwords, both need to be remembered, and both can be compromised using the same method at the same time, such as with keylogging software. This is not multi-factor.
Also, some systems offer biometric scanners as an alternative to entering a password. However, due to reliability issues with scanning hardware, the system will always allow a password to be used if the scanner cannot authenticate the user. Such as solution, therefore, doesn’t offer additional security over the traditional password system. Instead, it is simply a more convenient alternative to typing a password.
Choosing passwords can be difficult; humans are not designed to be random. A password created at seemingly random will often follow a pattern or be like a previously used password. Computer-based tools are excellent for generating secure passwords, but they won’t solve memorability issues. If used with a password manager to solve the memory problem, then password generators are ideal.
There are many different password managers available, and the best one for you will depend on how you use passwords and what types of devices you use when you need to enter a password.
1Password is a multi-platform application that manages the secure storage of passwords and other sensitive information on a local device and in a centralized storage vault controlled by the developer, AgileBits Inc. The saved data can be shared between devices, reflecting that many users have computers, tablets, and smartphones that all access the same password-protected services. To that end, the application can support integration with services accessed via applications and web browsers. Use of this application requires subscription payment.
Dashlane is a multi-platform application that manages the secure storage of passwords on a local device and in a centralized storage vault controlled by the developer, Dashlane Inc. It also includes a digital wallet application. In addition, the application can support integration with services accessed via applications and web browsers. This application uses the freemium pricing model, with a free-to-use option and a paid premium option.
KeePass is an open-source password manager developed for Windows platforms. The application manages the secure storage of passwords and other sensitive information, including file attachments. Data is stored locally with an option to use a centralized storage vault for multi-user and multi-device support. In addition, the application can support limited integration with services accessed via applications and web browsers through auto-typing features.
Keeper is a multi-platform application that manages the secure storage of passwords, financial information, and sensitive documents on a local device and in a centralized storage vault controlled by the developer, Keeper Security. The application can support integration with services accessed via applications and web browsers. This application uses the freemium pricing model, with a free-to-use option and a paid premium option. In addition to the standard application, the developer also offers multi-tenant password management and secure file storage for businesses.
LastPass is a multi-platform application that manages the secure storage of passwords on a local device and in a centralized storage vault controlled by the developer, LogMeIn Inc. The application can support integration with services accessed via applications and web browsers. This application uses the freemium pricing model, with a free-to-use option and a paid premium option.
NordPass is a multi-platform application that manages the secure storage of passwords on a local device and in a centralized storage vault controlled by the developer, the company behind NordVPN. The cloud-based storage uses a zero-knowledge architecture to ensure security. In addition, the application can support integration with services accessed via applications and web browsers. This application uses the freemium pricing model, with a free-to-use option and a paid premium option.
RoboForm is a multi-platform application that manages the secure storage of passwords on a local device and in a centralized storage vault controlled by the developer, Siber Systems Inc. The application can support integration with services accessed via applications and web browsers. This application uses the freemium pricing model, with a free-to-use option and paid premium options.
Zoho Vault is an enterprise password manager aimed primarily at business clients with user management and password policy functions, including audit records and reporting features. It integrates with business tools such as Office 365 and Salesforce. Use of this application requires subscription payment.
Password managers make handling large numbers of complex passwords easy. This encourages safe practices such as unique passwords for each service, complicated and lengthy passwords based on random characters, and the easy change of a password that may have been compromised.
Password managers are software applications that will never be completely secure, but the risks compared with expecting users to remember passwords will be significantly reduced. To help you, we’ve reviewed the security of these password tools; see here for more details:
A good tip for improving security is using a password management tool to create long, complex random character sequences for each password that all end with the same short common word. Then, when saving each password into the password manager, omit this word. The user then just needs to remember this one word and add it to the password retrieved from the password manager tool to form the complete password. Anyone compromising the password manager would not know what these extra characters are and couldn’t easily use the stolen passwords.