Data breach check
Has your information been exposed? The tools to find out, what the results mean, and what to do next.
A data breach check tells you whether your personal information — email address, passwords, phone number, or more — has been exposed in a known data breach. The authoritative free tool is HaveIBeenPwned by Troy Hunt; Mozilla Monitor wraps similar data in a consumer-friendly monitor. Browser-native tools in Google Chrome and Apple’s Safari check your saved passwords automatically. Paid tools like DeHashed reveal more detail for professional research. If you’re found in a breach, the practical response is the same: change the exposed password, change any reused passwords elsewhere, enable two-factor authentication on important accounts, and watch for targeted phishing. In the UK, organisations affected by breaches must report to the ICO within 72 hours. Individuals can’t remove their data from breach archives once it’s out, but can minimise future exposure.
What data actually leaks
Not every breach leaks everything. The fields attackers value most — and that show up most often in breach data.
Email address
The most commonly exposed field — if you’ve signed up for anything online in the last decade, your email is almost certainly in at least one breach.
Passwords
Often hashed but frequently cracked. Passwords from older breaches circulate openly in wordlists used by attackers for credential-stuffing attacks.
Names and dates of birth
Commonly exposed in breaches from retailers, professional networks, and healthcare providers. The pair is enough to start identity-fraud work.
Phone numbers and addresses
Home addresses from loyalty schemes or delivery services, phone numbers from two-factor authentication systems. Both useful to attackers for social-engineering.
Financial information
Card numbers (often truncated), bank details, or billing information from compromised payment processors. Rare in full but happens.
Tools that actually work
A practitioner’s view of the tools in common use — free, freemium, and paid.
HaveIBeenPwned
Strengths: Free and instant. Tells you which known breaches an email is in.
Limits: Narrow scope. Only answers "which breaches" — not what was cracked, not current password safety, not the broader identity picture.
Mozilla Monitor
Strengths: Free, consumer-friendly, uses HaveIBeenPwned’s data. Nice way to monitor one email for breaches over time.
Limits: Same underlying data source as HaveIBeenPwned; value is in the monitoring, not different coverage.
DeHashed
Strengths: Paid tool that reveals the actual leaked fields (passwords, usernames, personal data) for research purposes. Used by security professionals.
Limits: Paid, investigator-oriented, and the level of detail it provides can be misused if accessed casually. Requires subscription.
Google Password Checkup
Strengths: Built into Chrome and Google Account. Checks your saved passwords against known breaches automatically.
Limits: Only works for passwords you save in Google’s password manager.
Apple Compromised Password alerts
Strengths: Built into Safari / iCloud Keychain. Alerts you when your saved passwords appear in breaches.
Limits: Apple ecosystem only.
BLACKEYES
Strengths: Goes beyond which-breaches. Shows what data from your breach exposure connects to your wider digital footprint, and produces an eleven-section personal exposure report.
Limits: Paid per report. Not the right tool for a one-off yes/no breach check — HaveIBeenPwned does that free.
What to do if you’re in a breach
Most people’s emails are in multiple breaches already. That’s normal, not catastrophic. What matters is the response.
Change the password on the breached service
Unique, long, and generated by a password manager. Don’t reuse a password you’ve used anywhere else.
Change reused passwords elsewhere
The real danger of a breach is credential reuse. If the breached site had a password you used on other accounts, those are now also at risk — change them too.
Enable 2FA on important accounts
Email, banking, social media, password manager. Use an authenticator app or hardware key — not SMS.
Watch for targeted phishing
Attackers use breach data to send personalised phishing emails — mentioning the real service you used, the real password you had. Be extra suspicious of "security alert" emails right after a breach.
Report UK breaches to the ICO if you’re an organisation
Under UK GDPR, organisations must report notifiable personal-data breaches to the ICO within 72 hours. Individuals affected by a breach can also file complaints with the ICO if they believe their rights have not been respected.
Consider a credit freeze
If financial or identity data was exposed, a credit freeze with Equifax, Experian, and TransUnion blocks new credit applications in your name until you unfreeze.
Beyond the breach list
HaveIBeenPwned answers "is my email in a breach". Useful, but incomplete. The bigger question is: what could someone piece together about you from the breach data plus everything else that’s public?
A personal OSINT check combines breach exposure with social presence, public records, and digital footprint into one picture. For people concerned about identity exposure — after a breach, before a career change, or just as a periodic audit — it’s a useful checkpoint.
Frequently asked questions
My email is in a breach — am I at immediate risk?
Not necessarily immediate, but your exposure is higher. Attackers use breach data in two main ways: credential stuffing (trying your leaked password against other sites) and targeted phishing (using real information about you to craft convincing scams). The practical response is the same whether the risk is immediate or not — change the relevant passwords, enable 2FA, and stay alert for phishing.
How often should I check for new breaches?
Set up automated monitoring rather than manual checks. Services like HaveIBeenPwned and Mozilla Monitor will alert you when your email appears in a new breach. For important accounts, rely on the provider’s own password-checkup feature (Google, Apple, most modern password managers).
Can I remove my data from a breach?
No — once data is out, it’s out. Breach archives are copied and re-shared across the internet; there is no single entity to request removal from. What you can do is change the exposed passwords, request erasure from the original company (they’re obliged under UK GDPR to delete data they no longer need), and minimise the data you give to services going forward.
What’s the difference between a data breach and a hack?
Terms are used loosely. A “breach” usually means a company’s database of user records was exposed — through attack, misconfiguration, or insider action. A “hack” is more specific: unauthorised access to systems. Most data breaches are the result of a hack, but not always — misconfigured cloud storage causes plenty of breaches with no attacker involved.
Is checking my own data in a breach legal?
Yes. Checking whether your own email appears in known breaches is lawful and encouraged by security authorities including the UK’s National Cyber Security Centre. Checking someone else’s data in a breach for investigative or screening purposes requires a lawful basis under UK GDPR — this is the framework professional OSINT tools operate within.
Should I pay for breach monitoring?
Free tools cover the basics well. Paid monitoring makes sense if you want single-dashboard management across many email addresses, your organisation wants to monitor employee accounts for security purposes, or you need the depth a paid investigative platform provides for a specific case.
Check your full exposure
Not just which breaches — what’s connected to you, what’s been surfaced, and what an attacker could piece together.
Reports are tools, not conclusive judgements — verify material findings before reliance. See the FAQ