Have I Been Pwned
Free breach notification service tracking 14B+ compromised accounts across 900+ breaches. Check if your credentials have been exposed.
What should journalists know about Have I Been Pwned?
The single most important free security tool for journalists. HIBP indexes over 14 billion compromised accounts across 900+ breaches, with new data arriving from the FBI, law enforcement, and Troy Hunt's own breach research. The k-anonymity model for password checking is genuinely clever: your password never leaves your device. Firefox Monitor and Google Password Checkup both piggyback on HIBP's data, but neither matches the depth or speed of going direct. Check your accounts here quarterly at minimum. If you cover national security, surveillance, or organized crime, check monthly and subscribe to breach notifications for every email you use.
Checking if your accounts appear in known breaches. Setting up instant breach notifications for all work and personal emails. Domain-wide monitoring so newsroom IT can see which staff accounts are exposed. Validating that passwords you're about to use haven't already been compromised. Quick credential hygiene checks before starting a sensitive investigation.
Preventing breaches — this is detection, not a firewall. Not a password manager (pair it with 1Password or Bitwarden). Won't tell you if credentials are for sale on dark web marketplaces right now — for that you need DeHashed or SpyCloud. Can't remove your data from breaches.
Security & Privacy
Data is scrambled while being sent to their servers
Data is scrambled when stored on their servers
Where servers are located — affects which governments can request your data
Privacy policy summary
Passwords are checked using k-anonymity — only the first 5 characters of a SHA-1 hash are sent, so your full password never leaves your device. Email addresses are stored only if you opt into breach notifications. No tracking pixels, no ads, no data sales. Notification emails are stored in Azure Table Storage with AES-256 encryption at rest. Hunt has been transparent about what's stored and has published the privacy model in detail.
How to protect yourself:
Subscribe to breach notifications for every email address you use — work, personal, throwaway. Check passwords using the Pwned Passwords feature before reusing any credential. If a breach is found, change that password immediately, enable 2FA, and check if you reused it elsewhere. For newsrooms: verify your domain to get a full list of exposed staff accounts. Pair with a password manager (1Password offers free accounts for journalists) to generate unique passwords going forward.
K-anonymity password checking is cryptographically sound — your password hash is never fully transmitted. The FBI feeds compromised passwords directly into the Pwned Passwords database, making it the most comprehensive credential-checking service available. Azure Storage provides AES-256 encryption at rest. Cloudflare handles edge security. The Pwned Passwords API processes 2B+ queries per month and is integrated into major browsers, password managers, and identity services. The March 2025 Mailchimp phishing incident affected Hunt's personal mailing list, not the HIBP service itself, and his 34-minute disclosure set a transparency standard few organizations match. The main limitation: the core HIBP codebase is closed-source, so you're trusting Hunt's infrastructure. Given 12+ years of consistent, transparent operation and FBI partnership, that trust is well-placed.
Who Owns This
Known issues
In March 2025, Troy Hunt himself was phished via a fake Mailchimp SSO page while jet-lagged. Attackers exported ~16,000 email records (addresses, IPs, rough geolocation) from his blog mailing list. Hunt disclosed within 34 minutes and added the breach to HIBP. The incident is a useful reminder: even security experts get phished, and the real measure is response speed and transparency. Separately, the core HIBP service is not fully open source — only the Pwned Passwords component is. The main breach lookup database and notification system remain closed-source, which means you're trusting Hunt's operational security. That trust is well-earned but worth noting. Aggregated credential stuffing datasets (like the 2B-email batch from late 2025) can trigger misleading headlines — some users see 'your email was in a breach' without understanding it may come from a malware scrape, not a specific site hack.
Pricing
Free for individual email and password lookups. Paid API starts at $3.50/month for up to 10 requests per minute. Domain search (all emails on your newsroom domain) requires domain verification. Enterprise tiers available.
This is an editorial assessment based on publicly available information as of 2026-04-02, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.
Something wrong or outdated? Report it.