GUIDE · JULY 2026
Was your email in a data breach? How to check — and what to actually do
Short version: it probably was, that's less scary than it sounds, and there are exactly three fixes worth your time. Here's the whole thing in about four minutes.
First, what a breach actually is
When a company you gave your email to gets hacked, the stolen customer list usually ends up traded or dumped online. That list might hold just email addresses, or emails plus passwords, phone numbers, home addresses — whatever the company kept. That's a data breach, and you don't have to do anything wrong to be in one. You just had an account at the wrong place at the wrong time.
Breaches are common enough that the question isn't really "was I in one?" It's "which ones, and what got out?"
How to check in 30 seconds
Use our free Exposure Scanner. Type in your email address and it checks the Have I Been Pwned database — the most complete public record of known breaches, run by a well-respected security researcher. You'll see which breaches included your address and what kinds of data each one leaked.
Two things worth knowing about that check: it doesn't require an account, and we don't log or store the address you enter — it's checked, answered, and discarded. That's a claim you can verify.
Reading your results without panicking
Not all breaches are equal. What matters is what leaked, not how many breaches you're in:
- Just your email address: mildly annoying. Expect more spam and phishing attempts. Nothing to fix, just a reason to stay skeptical of unexpected emails.
- Email + password: this is the one that matters. Anyone can now try that password on your other accounts — and automated tools do exactly that, constantly. If you reused that password anywhere, those accounts are at risk too.
- Phone number, address, date of birth: useful to scammers for impersonation and targeted phishing. You can't un-leak it, but knowing it's out there tells you why that "your package is delayed" text knew your name.
The three fixes that actually matter
1. Change the password — everywhere you used it
Change the password on the breached account, and on any other account where you used the same or a similar password. This single step closes off the most common way breach data gets used against people.
2. Turn on two-factor authentication
Two-factor authentication (2FA) means a stolen password alone isn't enough to get in. Turn it on for your email account first — whoever controls your email can reset everything else — then banking, then the rest. App-based codes beat text-message codes, but text-message 2FA still beats nothing.
3. Get a password manager, so this stops being a recurring problem
The reason breaches hurt is password reuse, and the realistic fix isn't "memorize 80 unique passwords" — it's a password manager that generates and remembers them for you. Set it up once, and the next breach you're in becomes a non-event: one throwaway password leaks, nothing else is touched.
What not to bother with
You'll see advice to buy identity-theft insurance, credit monitoring subscriptions, or "dark web scans" after a breach. Most of it sells fear back to you at a monthly rate. A credit freeze (free, at each credit bureau) does more than most paid monitoring if you're worried about identity theft — and the three fixes above do more than everything else combined.
Check yourself now
It takes half a minute: run the Exposure Scanner. If you want a plan for your whole setup — devices, accounts, the works — the Hardening Generator builds one around your answers, entirely in your browser.