Has Your Password Been Leaked?
Check against 14+ billion breached credentials. Your password never leaves your browser.
How Data Breaches Work
Data breaches expose user credentials when attackers compromise a service's database. The leaked data typically includes email addresses and password hashes. If the hashing was weak (MD5, unsalted SHA-1), attackers crack the plaintext passwords within hours.
Major breaches include: LinkedIn (2012, 164M accounts, SHA-1 unsalted), Adobe (2013, 153M accounts, 3DES encrypted), Collection #1 (2019, 773M unique emails), and thousands more.
Credential Stuffing: Why Leaked Passwords Are Dangerous
When your password leaks from one service, attackers automatically try it on hundreds of other services — Gmail, Amazon, Netflix, banks. This is called credential stuffing, and it works because 65% of people reuse passwords.
If this tool finds your password in breaches, every account using that password is at risk — not just the breached service.
What to Do If Your Password Was Breached
- Generate a new, unique password for every account that used the breached password
- Enable 2FA on all important accounts (email, banking, social media)
- Check your email at haveibeenpwned.com to see which services were breached
- Start using a password manager to maintain unique passwords for every service
- Monitor accounts for unauthorized access in the days following a breach
The k-Anonymity Privacy Model
We use the same privacy model as 1Password, Bitwarden, and Firefox Monitor. Here's exactly what happens when you check a password:
- Your browser computes the SHA-1 hash of your password locally (e.g.,
5BAA6...E4F4C) - Only the first 5 characters (
5BAA6) are sent to the HIBP API - The API returns ~500 hash suffixes matching that prefix
- Your browser checks if the remaining 35 characters of your hash appear in the list
The API sees the same 5-character prefix for many different passwords, so it cannot determine which password you're checking. This is mathematically proven to protect your privacy.
Frequently Asked Questions
Is it safe to type my password into this tool?
Yes. Your full password never leaves your browser. We hash it locally using SHA-1, then send only the first 5 characters of the hash (out of 40) to the Have I Been Pwned API. This is called the k-anonymity model — the API cannot determine your actual password from a 5-character prefix.
How does the k-anonymity model work?
1) Your password is SHA-1 hashed locally. 2) Only the first 5 hex characters of the hash are sent to the API. 3) The API returns ~500 hash suffixes matching that prefix. 4) Your browser checks if your complete hash suffix appears in the returned list. The API never sees your full hash or password.
What does it mean if my password is "found"?
It means your exact password appeared in at least one publicly leaked database. The count shows how many breaches contained it. You should change this password immediately on every account where you use it, and never use it again.
What if my password is "not found"?
It means your password doesn't appear in the Have I Been Pwned database (currently 14+ billion records). This is good, but doesn't guarantee security — it could still be weak. Check its strength too.
Where does the breach data come from?
Have I Been Pwned (HIBP) is a service created by security researcher Troy Hunt. It aggregates data from publicly disclosed data breaches. The database contains over 14 billion compromised credentials from breaches including LinkedIn, Adobe, Dropbox, and thousands of others.
What should I do if my password was leaked?
1) Generate a new, strong password immediately. 2) Change it on every account where you used it. 3) Enable 2FA on all important accounts. 4) Check if your email was also compromised at haveibeenpwned.com. 5) Use a password manager to maintain unique passwords going forward.