How to Check If Your Data Was Leaked (And What to Do About It)
Here's an uncomfortable truth: your personal data has almost certainly been leaked. Maybe it was a social media platform you signed up for in 2014. Maybe it was a food delivery app, a gaming service, or a company you don't even remember creating an account with. Somewhere, at some point, a database with your email, password, or phone number was stolen - and it's probably floating around the dark web right now.
The good news? You can check. And more importantly, you can do something about it. This guide walks you through exactly how to find out if your data has been compromised, which tools to use, and what concrete steps to take right now to protect yourself.
The scale of the problem
Before we dive in, let's put data breaches into perspective. This isn't a hypothetical risk - it's a statistical certainty for most internet users.
The sheer volume of breached data means that if you've been using the internet for more than a few years, at least one service you used has been compromised. In 2024 alone, major breaches hit AT&T (73 million records), Ticketmaster (560 million), and National Public Data (2.9 billion records including Social Security numbers). These aren't small, obscure companies. They're household names with massive security budgets.
The problem compounds because of password reuse. When 73% of people use the same password across multiple sites, a single breach can cascade. Attackers take stolen credentials from one breach and automatically test them against banking sites, email providers, and social media platforms - a technique called credential stuffing. One leaked password can unravel your entire digital life.
How to check if you've been breached
The most reliable way to check is surprisingly simple. Follow these five steps to find out exactly which of your accounts have been compromised.
Visit haveibeenpwned.com
Head to Have I Been Pwned (HIBP), a free service created by security researcher Troy Hunt. It aggregates data from publicly known breaches and lets you search by email. The site has indexed over 14 billion breached accounts from 800+ breaches.
Enter your email address
Type in the email address you use most frequently. If you have multiple emails (personal, work, old accounts), check each one separately. The search is instant and completely free - HIBP never stores or logs the emails you search for.
Review which breaches you appear in
HIBP will list every known breach that includes your email. For each breach, you'll see the company name, when it happened, how many accounts were affected, and what data was exposed (email, password, phone number, physical address, etc.).
Check each breached service
Go through the list one by one. Do you still have an account with that service? Do you still use the same password? Was sensitive data like your phone number or home address included? Prioritize services where financial or identity data was leaked.
Change compromised passwords immediately
For every breached account that you still use, change the password right now. Use a unique, strong password for each service. If you used that same password anywhere else, change it there too. Enable two-factor authentication wherever available.
"I checked my personal email and found it in 14 different breaches. Fourteen. Including services I'd completely forgotten about. That's not unusual - it's average."
Best tools for checking data leaks
Have I Been Pwned is the gold standard, but it's not the only option. Here are the best tools available for checking whether your data has been compromised, each with different strengths.
Have I Been Pwned
The most comprehensive breach database available. Search by email or phone number. Also checks if your password has appeared in any known breach via the Pwned Passwords feature. Trusted by governments and enterprises worldwide.
Firefox Monitor
Mozilla's breach monitoring tool, powered by HIBP data. Integrates directly with your Firefox account and sends automatic alerts when your email appears in a new breach. Great for passive, ongoing monitoring.
Google Password Checkup
Built into Chrome and your Google Account settings. Automatically scans your saved passwords against known breaches and flags weak, reused, or compromised credentials. Accessible at passwords.google.com.
DeHashed
A deep search engine for breached data. Search by email, username, IP address, name, phone, or even password hash. Preferred by security professionals and investigators for thorough exposure analysis.
Breach Notification Alerts
Don't just check once - set up ongoing alerts. HIBP, Firefox Monitor, and Google all offer free email notifications when your data appears in a new breach. Apple also provides alerts through iCloud Keychain. Sign up for at least one of these services so you're notified automatically instead of having to remember to check manually.
What to do if your data was leaked
Finding your email in a breach list can be alarming, but don't panic. Most breaches expose hashed passwords (not plain text), which gives you time to act. The key is to move quickly and systematically. Here's what matters most.
Change your passwords - but do it right. Don't just add "123" to the end of your old password. Generate a truly random password of at least 16 characters using a password manager like Bitwarden, 1Password, or KeePass. Every account should have a completely unique password. If you're thinking "I can't remember all those passwords," that's exactly the point - your password manager remembers them for you.
Enable two-factor authentication (2FA) on everything. Even if an attacker has your password, 2FA adds a second barrier. Use an authenticator app (like Authy or Google Authenticator) instead of SMS-based 2FA when possible, since phone numbers can be SIM-swapped. For your most critical accounts - email, banking, cloud storage - consider a physical security key like a YubiKey.
Check whether your phone number was also leaked. Phone numbers in breach databases lead to SIM-swapping attacks, targeted phishing via text (smishing), and robocall spam. If your number was exposed, contact your carrier and ask about adding a PIN or security freeze to your account to prevent unauthorized SIM swaps.
If financial data was exposed, act immediately. Contact your bank to flag potential fraud. Place a fraud alert or credit freeze with the three major credit bureaus (Equifax, Experian, TransUnion). A credit freeze is free and prevents anyone from opening new accounts in your name. Monitor your bank and credit card statements closely for the next several months.
Watch out for fake breach notifications
Ironically, one of the most common scams exploits the fear of data breaches. Attackers send emails that look like legitimate breach notifications - claiming your account was compromised and urging you to "click here to reset your password." The link leads to a fake login page designed to steal your actual credentials.
How to tell the difference: Legitimate breach notifications never ask you to click a link to "verify" your account. They tell you what happened and recommend you visit the service directly (by typing the URL yourself) to change your password. If an email pressures you with urgency, uses generic greetings like "Dear Customer," or comes from a suspicious sender address, it's almost certainly a phishing attempt.
When in doubt, go directly to the website by typing the URL into your browser. Never click links in breach notification emails.
How to prevent future leaks
You can't stop companies from getting breached - that's their responsibility. But you can dramatically limit the damage when it happens. Think of it as building layers of defense. Here's your action checklist:
- Change passwords for all breached accounts using unique, randomly generated passwords
- Enable two-factor authentication (2FA) on every account that supports it
- Use a password manager to generate and store strong, unique passwords
- Check if your phone number was leaked and add a carrier PIN if so
- Freeze your credit with all three bureaus if financial data was exposed
- Monitor bank and credit card statements for unauthorized transactions
- Set up breach notification alerts through HIBP, Firefox Monitor, or Google
- Encrypt sensitive files before storing or sharing them online
The last point is worth emphasizing. Even if a service you use gets breached, encrypted files remain unreadable without the decryption key. If you'd encrypted a tax document before uploading it to cloud storage, a breach of that cloud provider wouldn't expose your financial data. The attackers would get nothing but scrambled bytes.
Encrypt your files as a last line of defense
Data breaches are inevitable. No matter how carefully you choose services or how strong your passwords are, you're ultimately trusting someone else's security team to protect your data. That trust gets broken constantly.
The only way to truly protect sensitive files is to encrypt them before they leave your device. If a server gets breached, the attackers get encrypted gibberish instead of your personal documents.
That's exactly why we built the .priv encryption format. It's open source, uses AES-256-GCM encryption (the same standard used by intelligence agencies), and works entirely on your device. Your encryption key never touches a server. No account required. No data collection. Just pure, local encryption.
Use PrivConvert to encrypt any file - PDFs, images, documents, spreadsheets - into a .priv file before uploading it anywhere. Even if the storage provider gets breached, your files stay locked. Only someone with your key can open them.
Protect your files with .priv encryption
Open-source, client-side encryption. No accounts, no tracking, no data collection. Your files, your keys, your privacy.
Try PrivConvert free →In a world where 16.7 billion records have been exposed and counting, encryption isn't paranoia - it's common sense. Check your accounts today, lock down what's been compromised, and start encrypting what matters most. Your future self will thank you.
topriv builds privacy-first digital tools. Follow us on X, Telegram, and YouTube.