Has Your Data Been Breached? How to Check 2026

Data breaches exposed over 8 billion records in the past year alone. Your email, passwords, and personal data may already be in criminal databases. Here is how to check and what to do about it. Updated March 2026.

Step 1: Check HaveIBeenPwned

HaveIBeenPwned.com (HIBP) is a free service created by security researcher Troy Hunt. It aggregates data from known breaches and lets you search by email address or phone number.

1. Go to haveibeenpwned.com
2. Enter your email address and click "pwned?"
3. The site will show every known breach that included your email, along with what data was exposed (passwords, phone numbers, addresses, etc.)
4. Check all your email addresses — including old ones you no longer use
5. Sign up for breach notifications — HIBP will email you if your address appears in future breaches
6. Use the password checker at haveibeenpwned.com/Passwords to see if any of your passwords have appeared in known breaches (this is safe — it uses k-anonymity and does not send your full password)

Step 2: What to Do If You Are in a Breach

If your email appears in a breach, take these steps immediately:

1. Change the password for the breached service immediately. Use a password manager to generate a unique, random password.
2. Change the password everywhere you reused it. If you used the same password on other sites (most people do), change it on all of them. This is why password reuse is so dangerous.
3. Enable two-factor authentication on the breached account and all important accounts. See our 2FA guide.
4. Check for unauthorized access: Review recent login activity, connected apps, email forwarding rules, and recovery email/phone settings.
5. Watch for phishing: After a breach, attackers often send targeted phishing emails using the stolen data. Be extra cautious of emails referencing the breached service.

Step 3: Identity Theft Prevention

If sensitive data was exposed (Social Security number, government ID, financial information), take additional steps:

• Freeze your credit with all three bureaus (Equifax, Experian, TransUnion). This is free in the US and prevents anyone from opening new credit accounts in your name. You can temporarily lift the freeze when you need to apply for credit.
• Set up fraud alerts with the credit bureaus. A fraud alert requires creditors to verify your identity before opening new accounts.
• Monitor your credit report — you are entitled to free weekly reports from annualcreditreport.com.
• Consider identity theft protection services if government ID was exposed. Services like Identity Guard or LifeLock monitor dark web markets for your stolen data.
• File an identity theft report at identitytheft.gov (US) if you discover unauthorized activity.

Step 4: Credit Monitoring

After a major breach, set up ongoing monitoring:

• Free credit monitoring: Many breached companies offer 1-2 years of free credit monitoring. Accept this offer — it typically includes dark web monitoring and identity theft insurance.
• Credit Karma: Free ongoing credit monitoring for TransUnion and Equifax.
• Bank alerts: Set up transaction alerts on all bank accounts and credit cards. Get notified of any charge over $1.
• IRS Identity Protection PIN: In the US, request an IP PIN from the IRS to prevent tax identity theft.

Other Breach Checking Tools

• Firefox Monitor: Mozilla's breach checker, powered by HIBP data. Integrated into Firefox browser.
• Google Password Checkup: Built into Chrome and Google Account settings. Checks saved passwords against known breaches.
• Apple Keychain breach detection: Built into iOS/macOS Settings → Passwords → Security Recommendations.
• 1Password Watchtower: Checks all stored passwords against HIBP and flags compromised ones.
• Bitwarden Reports: Premium feature that checks vault passwords against known breaches.

Check if specific services have been breached on Nerq: nerq.ai/was-[service]-hacked. See also: What to Do If Hacked.

Related Guides

Updated March 2026. Source: Nerq independent analysis.