How to Check If Your Personal Information Has Been Leaked Online

Right now, there is a very good chance that at least one of your email addresses, passwords, or phone numbers is sitting in a database that has been stolen and shared online. Not because you did anything wrong — because companies that had your data got hacked.

Since 2013, over 14 billion account records have been exposed in publicly reported data breaches. LinkedIn, Adobe, Dropbox, T-Mobile, AT&T, Capital One, Equifax, 23andMe — the list is staggering. And those are just the breaches that made the news. Thousands more go unreported or undiscovered for months.

The question is not whether your data has been leaked. It almost certainly has. The question is what has been leaked, where, and what you need to do about it. Here is how to find out in under five minutes.

Step 1: Check Have I Been Pwned

The single best tool for checking data breaches is a free website called Have I Been Pwned (haveibeenpwned.com), created by security researcher Troy Hunt. It aggregates data from every known public breach and lets you search by email address or phone number.

How to use it:

1. Go to haveibeenpwned.com in your browser.
2. Enter your primary email address in the search box and click "pwned?"
3. The site will show you every known breach that included your email address, along with what data was exposed (email, password, name, phone number, IP address, etc.).
4. Repeat this for every email address you use — personal, work, old accounts you forgot about.
5. Scroll down and click "Notify me" to get an automatic alert if your email shows up in future breaches.

What you will likely see: Most people who have been using the internet for more than a few years will find their email in at least 3-10 breaches. Do not panic. This is normal. What matters is what you do next.

Check Your Passwords Too

Have I Been Pwned also has a password checker at haveibeenpwned.com/Passwords. You can enter any password to see if it has appeared in a known breach database. This does not tell someone your password — the check is done using a cryptographic technique called k-anonymity that keeps your full password private.

If a password you are currently using appears in this database, change it immediately. Attackers use lists of breached passwords in automated attacks against millions of accounts.

Step 2: Understand What Was Leaked

Not all breaches are equal. What was exposed determines your risk level and your response.

Low risk — email address only: Your email is now on spam lists and may be used in targeted phishing attacks. Be extra cautious about suspicious emails.

Medium risk — email + hashed password: Your password was stored in an encrypted format. If it was a weak password, attackers may have cracked it. If it was a strong, unique password, you are likely fine — but change it anyway.

High risk — email + plaintext password: Your actual password was stored without encryption and is now publicly available. Change this password everywhere you used it. If you reused this password on other sites (most people do), every one of those accounts is compromised.

Critical risk — SSN, financial data, or government ID: This is identity theft territory. You need to freeze your credit, set up fraud alerts, and monitor your accounts actively.

Step 3: Change Compromised Passwords

Here is where most people get overwhelmed. You check Have I Been Pwned, see 8 breaches, and realize you have been reusing the same 3 passwords across dozens of accounts. Changing all of them feels impossible.

A password manager makes this manageable. Instead of trying to remember unique passwords for every account, a password manager generates and stores them for you. You remember one master password. The password manager handles the rest.

The efficient approach to changing passwords:

1. Start with your email accounts. Your email is the master key to everything — password resets for every other account go through it. Secure this first with a new, strong, unique password and two-factor authentication.
2. Secure financial accounts next. Banks, investment accounts, credit cards, PayPal, Venmo — anything connected to your money.
3. Change social media and shopping accounts. Amazon, Facebook, Instagram, and any account that has your payment information stored.
4. Work through the rest over time. You do not need to change 150 passwords in one sitting. Set a goal of 5-10 per day until you have covered everything.

Step 4: Enable Two-Factor Authentication Everywhere

Even if an attacker has your password, two-factor authentication (2FA) stops them from logging in. When 2FA is enabled, logging in requires both your password and a second factor — usually a code from an authenticator app or a physical security key.

Priority accounts for 2FA:

• Email (Gmail, Outlook, etc.)
• Banking and financial services
• Social media accounts
• Cloud storage (Google Drive, Dropbox, iCloud)
• Your password manager itself

Best 2FA methods, ranked:

1. Hardware security key (YubiKey) — most secure, phishing-proof
2. Authenticator app (Google Authenticator, Authy, 1Password) — very secure, convenient
3. SMS text codes — better than nothing, but vulnerable to SIM swapping attacks

Avoid SMS-based 2FA for your most important accounts if an authenticator app is available. SIM swapping — where an attacker convinces your carrier to transfer your phone number to their device — is increasingly common and completely bypasses SMS verification.

Step 5: Check What Personal Information Is Publicly Available

Data breaches are one source of leaked information. Data broker websites are another. Companies like Spokeo, Whitepages, BeenVerified, and hundreds of others compile and sell your personal information — name, address, phone number, email, family members, property records, and more. This information is publicly searchable and available to anyone, including scammers.

Quick check: Google your full name in quotes along with your city. You will likely find yourself on multiple data broker sites with surprisingly detailed personal information.

This data is used for targeted phishing attacks, social engineering, identity theft, and harassment. Removing it is tedious if done manually — each data broker has its own opt-out process, and many re-list your information after a few months.

Step 6: Set Up Ongoing Monitoring

Checking once is not enough. New breaches happen constantly, and your information can be exposed at any time. Here is how to stay ahead of it:

• Have I Been Pwned notifications: Sign up for email alerts at haveibeenpwned.com/NotifyMe. You will get an email whenever your address appears in a new breach.
• Password manager breach alerts: 1Password's Watchtower feature, Dashlane's Dark Web Monitoring, and similar features automatically cross-reference your saved logins against known breaches and alert you.
• Credit monitoring: Free services like Credit Karma monitor your credit reports for suspicious activity. For more comprehensive monitoring, consider a dedicated identity theft protection service.
• Google "Results about you": Google now lets you request removal of search results that contain your personal contact information. Go to myactivity.google.com and look for "Results about you" to set up alerts when your information appears in search results.

What to Do If You Find Sensitive Data Leaked

If your breach exposure goes beyond email and passwords — if your Social Security number, financial account numbers, or government-issued ID has been compromised — take these additional steps immediately:

1. Freeze your credit at all three bureaus (Equifax, Experian, TransUnion). This is free and prevents anyone from opening new accounts in your name.
2. Place a fraud alert on your credit reports. This requires creditors to verify your identity before extending credit.
3. Check your bank and credit card statements for unauthorized transactions.
4. File a report at identitytheft.gov if you believe you are a victim of identity theft. This creates a recovery plan and official documentation.
5. Monitor your credit reports weekly using AnnualCreditReport.com, which provides free access.

Key Takeaways

• Check haveibeenpwned.com with every email address you use — most people are in multiple breaches
• Use a password manager to generate and store unique passwords for every account
• Enable two-factor authentication on email, financial, and social media accounts (use an authenticator app, not SMS)
• Remove your personal information from data broker websites to reduce your attack surface
• If your SSN or financial data was leaked, freeze your credit immediately at all three bureaus
• Set up ongoing monitoring so you are alerted the moment your information appears in a new breach

The five minutes it takes to check and the hour it takes to secure your most important accounts could save you thousands of dollars and months of headaches. Do not wait for a fraudulent charge or a hijacked account to force you into action.

Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.