Data breaches aren’t the exception – they’re the norm

The idea that a data breach is something rare, something that only happens to big corporations and only affects careless users, is unfortunately outdated. In reality, billions of records have been stolen over the past several years – from LinkedIn, Adobe, Dropbox, Facebook, and hundreds of lesser-known services.

The stolen data ends up in collections that are traded on the dark web. There you’ll find email addresses, passwords, sometimes phone numbers and dates of birth – neatly organized and searchable. Criminals use this data for automated attacks: they try the stolen passwords on other services, send targeted phishing emails, or attempt identity fraud using personal information.

The insidious part: you don’t notice any of it. There’s no alarm, no notification, no warning light. Unless you check for yourself.

Have I Been Pwned – the best-known breach checker

In 2013, Australian cybersecurity expert Troy Hunt created a service that fills exactly this gap: Have I Been Pwned (HIBP for short – “pwned” comes from gaming slang and roughly means “owned” or “hacked”).

The concept is dead simple: you enter your email address, click “pwned?” – and within seconds you find out whether that address has appeared in a known data breach. If it has, the site tells you which services were affected and what kind of data was stolen – for example passwords, IP addresses, or dates of birth.

I tried it a few years ago for the first time, mostly out of curiosity. The result was sobering: my primary email address showed up in six different data breaches. One of them was an online store I could barely remember ever creating an account with. The password I’d used there? The same one I was using for three other services. An uncomfortable moment of self-awareness.

Is it safe?

The obvious question: can I trust a website that searches for data breaches with my email address? In the case of Have I Been Pwned: yes. The service doesn’t store search queries, doesn’t require registration, and has become one of the most widely recommended security tools in the world. Even the FBI feeds data from seized breach collections to HIBP so that affected users can be warned.

For the password check (more on that in a moment), they even use a particularly privacy-friendly method: your password is converted into a hash – a kind of digital fingerprint – locally on your device. Only the first five characters of that hash are sent to the server. The server responds with a list of possible matches, and your browser checks for a match locally. So your actual password never leaves your computer.

What to do if your address shows up

If Have I Been Pwned reports a hit – and for most readers, it will – that’s no reason to panic at first. It means your email address and possibly a password appeared in a stolen database. Here’s what to do:

• Change the password immediately – at the affected service, but also everywhere else you used the same password.
• Give every account its own password – this is the single most important rule. If one service gets hacked and you used a unique password there, the damage stays contained.
• Use a password manager – nobody can memorize 80 different passwords. Tools like Bitwarden, KeePass, or 1Password handle it for you. A topic we’ll cover in depth in a future post.
• Turn on notifications – at HIBP you can register your email address and get automatically notified if it turns up in a new data breach.

Other useful checking tools

Have I Been Pwned is the best-known tool, but not the only one. Here’s a quick overview of trustworthy alternatives:

Have I Been Pwned – password check: On the Pwned Passwords page, you can check whether a specific password has appeared in a known data breach. The check uses the hash-based method described above – the password itself is never transmitted. Here’s a sobering stat: “123456” shows up in over 40 million breaches.

Mozilla Monitor: Mozilla offers Mozilla Monitor, a service built on Have I Been Pwned’s data but wrapped in a clean, user-friendly interface. If you use Firefox, you can get warnings directly in your browser.

Google’s security checkup: If you have a Google account, Google’s Security Checkup will flag any saved passwords that have appeared in known breaches. It also checks whether you’re reusing passwords across sites – practical if you use Chrome’s built-in password manager.

What these tools can’t do

As useful as these services are, they have one important limitation: they only know about known breaches. If your data was stolen in an intrusion that was never made public, it won’t show up in any of these databases. So the absence of a hit doesn’t mean your data is guaranteed to be safe. It just means it wasn’t found in any known collection.

And one more thing: these tools check email addresses and passwords, not your entire digital identity. Whether your credit card number, your Social Security number, or your home address ended up in a breach – you typically won’t find out this way.

Five minutes well spent

Data breaches are, unfortunately, a fact of digital life. We can’t prevent some online service we signed up for ten years ago from getting hacked. But what we can do is regularly check whether our data has been affected – and take the right steps when it has.

The effort is minimal: enter your address, read the result, change any compromised passwords. Five minutes that can save you a lot of trouble down the road.

Here’s my suggestion: try it right now. Head to haveibeenpwned.com, enter your most-used email address – and see what comes up. If you’re feeling brave, test your favorite password on the password checker too.

Were you affected? How many breaches showed up for you? And did you change anything afterward? I’m curious – feel free to share in the comments.