Have I Been Pwned (HIBP)

Have I Been Pwned (HIBP) is a free service operated by Australian security researcher Troy Hunt since 2013. Aggregates publicly-disclosed data breaches into a searchable database. Around 13 billion compromised accounts indexed across 750+ documented breaches as of 2026. Lets users check whether their email addresses or phone numbers appeared in any indexed breach, and whether specific passwords appear in the leaked-password corpus.

What it means in practice

HIBP’s structural value is twofold. For users, it is the lookup tool that makes the breach corpus actionable: search your email, see the breaches you appeared in, rotate the affected passwords. For developers and security teams, the Pwned Passwords API lets services check (via k-anonymity hash range queries) whether a user’s proposed password has been seen in any breach without HIBP receiving the password itself. Major password managers (1Password, Bitwarden, Proton Pass) integrate the API for breach monitoring. The operational rule: a password that appears in HIBP’s corpus is compromised; an email that appears suggests the accounts using that email need attention; a phone number that appears suggests SIM-swap risk.

Who uses it, and how

Used by: hundreds of millions of consumers running self-checks, security teams at thousands of organizations integrating Pwned Passwords into account-creation and password-change flows, journalists covering breaches and using HIBP as the source-of-truth on what was exposed, and the password-manager industry as the breach-monitoring substrate. The service runs on Cloudflare donation-supported infrastructure; Troy Hunt has resisted multiple acquisition attempts to keep the service independent and free for individual users (paid tiers exist for organizations querying domains they own). Predaxia’s editorial position: HIBP is the highest-leverage privacy tool that costs nothing and runs in 30 seconds; every reader should run their email addresses through it quarterly.

What you can change today

Visit haveibeenpwned.com, search each email address you use (primary, work, recovery email, plus any old addresses you remember). Note which breaches affected you. For each breach where the password is indicated as exposed (the result will say so), rotate that password at the affected service and at any other service where you reused it. Set up “Notify me” with each of your email addresses so future breaches generate an alert email. Repeat the search annually or when major news indicates a breach affecting a service you use; HIBP usually adds the index within days of public disclosure.

Related articles