Billions of usernames and passwords have been stolen in data breaches and are circulating on the dark web right now. You may have accounts in those databases — from a breach years ago that you never knew about — with your old password that you might still be using. Checking whether your password has been leaked is one of the most important security checks you can do, it's free, and it takes less than 2 minutes. This guide shows you every method available, from the best free tool to automated monitoring built into your password manager.
Have I Been Pwned's database currently contains over 13 billion compromised accounts from thousands of documented breaches. Statistically, if you've had the same email address for more than 5 years, there's a high probability at least one of your accounts has appeared in a breach. Check now.
📋 In This Guide
- Method 1: Have I Been Pwned (Free — Best Overall)
- Method 2: Google Password Checkup (Chrome Users)
- Method 3: Apple's iCloud Keychain Monitoring
- Method 4: Password Manager Breach Monitoring (Automatic)
- Check Specific Passwords — The HIBP API
- Dark Web Scan Services
- What to Do If Your Password Was Leaked
- Setting Up Continuous Monitoring
Method 1: Have I Been Pwned — Best Free Breach Check
Have I Been Pwned (HIBP) at haveibeenpwned.com is the gold standard for breach checking, operated by respected security researcher Troy Hunt (a Microsoft Regional Director and MVP). The service maintains a database of over 13 billion compromised accounts from thousands of documented data breaches, updated continuously as new breaches are discovered.
How to Check Your Email
- Go to haveibeenpwned.com in your browser
- Enter your email address in the search field and click "pwned?"
- If your email appears in any known breach, the page turns red and lists each breach with: the company that was breached, when the breach occurred, what data was exposed (email, password, name, phone, etc.)
- If your email is clean, the page turns green with "Good news — no pwnage found!"
- Repeat for every email address you've ever used
Understanding the Results
A breach result doesn't automatically mean your account was compromised — it means your data appeared in a stolen database. The risk level depends on what was exposed:
- Email only: Low immediate risk. Expect more targeted phishing attempts.
- Email + hashed password: Medium risk. If the password was weak, it may have been cracked. Change the password for that service.
- Email + plaintext password: High risk. Change that password immediately everywhere you used it.
- Name + address + phone: Identity theft risk. Consider a credit freeze.
Set Up Free Email Notifications
HIBP offers free email notifications — when a new breach database is published that contains your email, you receive an alert automatically. Click "Notify me" on the HIBP homepage and verify your email. This passive monitoring means you'll know about a breach involving your email within hours or days of it being discovered, rather than months or years later.
Method 2: Google Password Checkup (Chrome Users)
If you save passwords in Chrome or Google Password Manager, Google's Password Checkup tool checks them against breach databases automatically. To access it:
- Go to passwords.google.com
- Click "Check passwords" in the Safety Check section
- Google checks your saved passwords using a privacy-preserving protocol — your actual passwords are never transmitted
- Results show three categories: Compromised (found in breach data), Reused (same password on multiple sites), Weak (short or easily guessable)
Password Checkup runs automatically in the background when you're logged into Chrome — you may already have a notification badge on the password manager icon if issues are detected. This is a useful baseline check, but it only covers passwords saved in Chrome, not passwords you use in Firefox, Edge, native apps, or that you haven't saved in Chrome.
Method 3: Apple's iCloud Keychain Security Monitoring (iPhone/Mac)
Apple's Passwords app (and iCloud Keychain) monitors your saved passwords against data breach alerts using a privacy-preserving protocol similar to Google's. To check on iPhone:
- Go to Settings → Passwords
- If any passwords have been compromised in a known breach, iOS shows a "Security Recommendations" section at the top with the affected accounts listed
- Tap "Change Password on Website" next to any flagged account to fix it
On Mac: open the Passwords app → click "Security Recommendations" in the sidebar. Apple's monitoring is limited to passwords saved in iCloud Keychain — if you use Chrome or Firefox with passwords saved there, those aren't monitored by Apple.
Method 4: Password Manager Breach Monitoring (Automatic — Best Long-Term)
The most comprehensive and automatic breach monitoring comes from dedicated password managers. Unlike browser-based checks that only cover browser-saved passwords, password manager monitoring covers every credential in your vault across all platforms, whether you use Safari, Chrome, Firefox, or native apps.
| Manager | Monitoring Feature | Tier Required | Real-Time Alerts |
|---|---|---|---|
| 1Password | Watchtower | All paid plans | ✓ Push notifications |
| Bitwarden | Vault Health Reports | Premium ($10/yr) | Manual check |
| Keeper | BreachWatch | Add-on ($20/yr) | ✓ Real-time alerts |
| Dashlane | Dark Web Monitoring | Premium | ✓ Push notifications |
| NordPass | Data Breach Scanner | Premium | Manual check |
1Password's Watchtower monitors your vault continuously against Have I Been Pwned's breach database, flags reused passwords, identifies accounts where the site has been breached even if your specific credential wasn't confirmed exposed, and alerts you to accounts that support 2FA but where you haven't enabled it yet. The Watchtower dashboard in the app gives you a health score for your entire vault at a glance.
Keeper's BreachWatch is unique in providing real-time push notifications — within hours of a breach database appearing on the dark web that contains your credentials, you receive a notification. No other manager's monitoring is as fast.
Check Specific Passwords — The Pwned Passwords Database
HIBP also offers a Pwned Passwords check at haveibeenpwned.com/passwords where you can check if a specific password (not tied to your email) has appeared in any breach database. This is useful for checking: your current master password for a password manager, any password you're considering reusing, or a password you've used for a long time.
The check uses a privacy-preserving k-anonymity method — only the first 5 characters of your password's SHA-1 hash are sent to the server, so your actual password never leaves your device. You can safely check any password here without it being exposed in the process.
If a password appears in the database, even once: stop using it immediately everywhere. Attackers use these databases for dictionary attacks, so any password in the Pwned Passwords list is a known quantity to attackers.
Dark Web Scan Services
Several services offer free "dark web scans" that check if your personal information (email, phone number, name) appears on dark web forums and marketplaces. These include:
- Experian Free Dark Web Scan — free one-time check at experian.com/darkweb
- IdentityGuard, LifeLock — paid services with ongoing monitoring
- Credit card/bank identity monitoring — many US banks now offer free dark web monitoring as a card benefit
These services have legitimate value for checking personal information beyond just passwords, but HIBP remains the most comprehensive and trusted free tool specifically for credential breach checking.
What to Do If Your Password Was Leaked
If HIBP or your password manager shows a compromised credential, take these steps immediately:
- Change the password on the affected account — generate a new unique random password using your password manager
- Check every account using the same password — search your vault or browser for the compromised password and change all matches
- Enable 2FA on the affected account if not already active
- Review active sessions on the affected account — log out all devices and re-login with the new password
- Check your email for the affected service — look for unauthorized login notifications or account change confirmations you didn't make
For a complete breach response plan, see our guide on what to do after a data breach.
Setting Up Continuous Monitoring — Never Be Caught Off Guard
Rather than periodically checking manually, set up automated monitoring:
- Have I Been Pwned notifications — free, email alerts for all your addresses. Visit haveibeenpwned.com and sign up under "Notify me."
- Password manager monitoring — any premium password manager monitors your vault automatically. Bitwarden Premium at $10/year includes vault health reports. 1Password's Watchtower is included in all paid plans.
- Google/Apple built-in — passive monitoring for browser/keychain-saved passwords. Enable notifications in settings to receive alerts.
With continuous monitoring set up, you'll know about a breach within hours rather than finding out months later (or never). Combine this with unique passwords on every account (from a password manager), and a breach becomes a 2-minute fix — change one password, done — rather than a cascading emergency.