Few websites give you a cleaner, harsher answer than Have I Been Pwned. You type an email address into a plain search box and the site tells you whether that address appears in known breaches, paste dumps, and — once you verify ownership — even more sensitive categories that are not exposed in the public search. On April 23, 2026, the public breach directory listed 974 total breaches and 17.52 billion pwned accounts. That is the whole appeal: one small corner of the web that turns breach anxiety into something concrete.
Table of Contents
It turns breach anxiety into something concrete
Most people encounter data breaches as background noise. A brand sends a vague email. A headline flashes by. A security reporter posts another giant leak. You are left with the same dull question every time: did this hit me, or is this just another disaster happening to everyone else? Have I Been Pwned answers that question with unusual directness. It exists to help individuals and organisations identify when their information has been involved in a legitimate breach or leak, and its public search gives you a point-in-time check on whether an email address appears in the data HIBP has loaded.
What makes the site more trustworthy than many breach-themed services is that it does not pretend to be all-seeing. The privacy policy says the information it provides is based on leaks the service has identified and collected, and that it does not represent all leaked information. Your data could still be compromised even if the site shows nothing. That honesty matters. It turns HIBP from a fear machine into a record of known exposure — useful, sobering, and bounded by reality.
That distinction is the heart of the site. A positive result does not mean you are uniquely doomed. A negative result does not mean you are clean forever. What it gives you is a map of where your address has already escaped into the wild, which is often exactly the missing piece when you are deciding which accounts to lock down first.
The site is smaller and smarter than it looks
The web is full of security products that lead with dashboards, funnels, and drama. HIBP still feels like a utility. The homepage is almost blunt: check your email, review breach history, sign up for notifications, move on. That restraint is part of why people trust it. The site does not waste time pretending to be your entire cyber-life manager. It solves the narrower problem well.
It also helps that the project has a clear human fingerprint. The official background page says Troy Hunt created the service and has been running it since 2013. That long continuity shows up in the product itself. The site feels less like a startup pitch deck and more like a tool that has been sharpened over years of seeing how breaches actually spread, how people panic, and what information is safe to expose publicly.
That long-running sensibility is easy to miss if you only ever use the homepage once every six months. HIBP looks simple because it hides a lot of judgment behind the scenes: what counts as a breach, what gets marked sensitive, what stays public, what gets retired, what can be searched by verified owners only, and what should never be shown back to the person searching. Those decisions are where the site earns its reputation.
What you get after the first lookup
The homepage search is only the front door. Once you look around, HIBP reveals itself as a much broader breach-awareness system. There is Pwned Passwords, which checks whether a password has appeared in breach corpora. There is Notify Me, which emails you when your address shows up in future breaches. There is a dashboard for verified users that exposes sensitive breaches and stealer-log information tied to your address. There are domain search tools for people who control a domain and need to see exposure across an organisation. There is also an API for developers and security teams that want to integrate these checks into their own workflows.
What stands out at a glance
| Feature | What it does | Why it matters |
|---|---|---|
| Public email search | Checks one email or username against loaded breaches and pastes | Fastest way to turn a vague scare into a concrete exposure history |
| Sensitive breach access | Requires you to verify control of the address in the dashboard | Keeps highly delicate breaches out of casual public lookup |
| Pwned Passwords | Tests whether a password has appeared in breach data | Useful even when your email search looks clean |
| Notify Me | Sends alerts when your address appears in future breaches | Turns HIBP from a lookup tool into an early-warning service |
| Domain search | Lets verified owners search exposure across a domain | Makes the service practical for teams, not just individuals |
| API access | Exposes breach, password, domain, and related search capabilities programmatically | Good fit for developers and security workflows |
That mix is what makes HIBP more than a one-off lookup site. It works at three levels at once: personal self-check, organisational monitoring, and developer-friendly infrastructure. Most people only need the first layer. The fact that the other two exist is what makes the project feel serious rather than merely viral.
The newer dashboard features are especially revealing. According to the sign-in page, verifying your address unlocks access to sensitive breaches, stealer log entries tied to your email, domain management, and subscription tools. That shifts HIBP from “check my old email once” into something closer to a personal breach dossier. Quietly, the site has become more capable than many people realise.
The privacy choices are unusually thoughtful
A breach-checking service lives or dies on one question: do you trust it enough to type something personal into it? HIBP seems acutely aware of that. Its privacy policy says that when you search for an email address or phone number, the data is retrieved and returned, but the search result is not explicitly stored. At the same time, the policy is careful not to sell a fantasy of zero data handling; it says the service keeps limited logging and performance data to keep the site running and fend off abuse. That is a more believable privacy posture than the usual “we collect nothing” slogan.
The public search is also intentionally narrow. The FAQ says it cannot return anything other than the results for a single user-provided email address or username at a time. If you want broader visibility across a domain, you have to verify control of that domain first. Sensitive breaches are even more locked down: they are not publicly searchable and can only be viewed by the verified owner of the address, or by a verified domain owner in the right context. As of the FAQ page now, HIBP says there are 85 sensitive breaches and 2 retired breaches in the system.
The password side is even more elegant. The privacy policy says Pwned Passwords hashes the password client-side with SHA-1 and sends only the first 5 characters of the hash using Cloudflare’s k-anonymity model. The API documentation adds that password range queries return matching suffixes, and that padding can be added so the response size does not give away useful clues. In plain English, the site is set up so you can check a password against a giant breach corpus without handing over the password itself. That is not just smart engineering. It is good product judgment.
You can see the same judgment in what HIBP refuses to do. The FAQ says passwords are not stored next to email-address search results, and HIBP will not send exposed passwords to users because doing so would raise the risk further. A lot of security tools become dangerous because they cannot resist showing everything they know. HIBP has survived by drawing harder lines.
Who should keep it close
Almost everyone should run their main email through HIBP at least once, then check old addresses, aliases, and long-abandoned signup emails they still remember. Historic exposure still matters because people reuse addresses for years, password habits linger, and breach data does not stop being useful to attackers just because you forgot an account existed. The site’s own model is built around that idea: it is a historic record of where an identifier has appeared, not a temporary scare report.
People who manage domains should care even more. HIBP supports verified domain searches and breach monitoring, which means a company, school, publication, or community running its own email domain can get a much wider view of exposure than a single-address search can offer. Developers and security teams also get real value from the API and from Pwned Passwords, which is queryable online and also available for offline use via the downloader linked from the official password page.
The live breach directory is another reason to keep it in reach. On April 23, 2026, the newest entries included names like Amtrak, McGraw Hill, Hallmark, and Crunchyroll, all added earlier that month. This is not some static museum of famous old disasters. It is an active, maintained index that keeps absorbing new fallout.
What makes Have I Been Pwned memorable is not just that it delivers bad news. It makes the web feel inspectable. It takes a problem that is usually abstract, delayed, and hidden behind corporate language, and turns it into a page you can actually act on. That is a rare thing online: a site that is grim in subject matter, calm in execution, and still genuinely worth bookmarking.
FAQ
It means the address you searched appears in data HIBP has loaded from a breach, leak, paste, or another supported source category. The service then shows the breach history tied to that identifier.
No. HIBP says it does not represent all leaked information, so your data could still be compromised even if the site shows no match.
Yes. HIBP tracks whether an address appeared in historic breach data, so old inboxes, aliases, and abandoned signup addresses are still worth searching.
Start with any accounts where you may have reused the same password, then replace that password with a unique one and consider signing up for breach notifications. HIBP’s password guidance is blunt: a password found in Pwned Passwords should not be used again.
No. The FAQ says email-address searches do not store passwords alongside personally identifiable data, and HIBP does not send exposed passwords to people.
HIBP says searches are performed over encrypted connections, and its privacy policy says email searches are not explicitly stored as personal-information records. It also says the service keeps limited logs and abuse protections, so the answer is not “magic zero data,” but the model is clearly built to limit unnecessary collection.
HIBP says it does not collect or store your personal information when you conduct a search in the database, and that the result of the search is not explicitly stored anywhere. It does, however, keep minimal operational logging and performance telemetry.
The FAQ gives a few possible reasons: the service may have acquired data from somewhere else, rebranded, or someone else may have signed you up. A surprising match is not automatically an error.
They are breaches where someone’s presence in the data could harm them if it were publicly searchable. HIBP says those results can only be viewed by the verified owner of the email address through the dashboard.
No. The FAQ says notifications are only sent to the address being monitored, so you cannot subscribe someone else’s inbox if you do not control it.
HIBP describes stealer logs as data gathered by malicious software running on infected machines, collecting email addresses, passwords, and the sites where they were entered. The dashboard and API now expose parts of that world in controlled ways.
It means that password has previously appeared in breach data. HIBP says it does not know who the password belonged to, only that it was exposed publicly and how many times it has been seen.
Yes. HIBP supports verified domain searches, domain monitoring, and API access for programmatic checks, which makes it useful for organisations as well as individuals.
No. The FAQ says an email address appearing in a breach is an immutable historic fact. You can use opt-out controls to change public visibility, but you cannot rewrite the fact that the address was present in the leak.
Yes, if you want the site to work as an early warning system instead of a one-time lookup. HIBP’s notification service verifies your email and then sends alerts when that address appears in future breaches.
Author:
Jan Bielik
CEO & Founder of Webiano Digital & Marketing Agency
This article is an original analysis supported by the sources cited below
Have I Been Pwned
Official homepage and public breach checker for email addresses, breach history, paste records, and notification signup.
Who’s Been Pwned
The live breach directory used for current database size, recent additions, and the shape of HIBP’s public archive.
Who, What & Why
Official background on the project, including Troy Hunt’s role as creator and operator since 2013.
Frequently Asked Questions
Official explanations of sensitive breaches, retired breaches, stealer logs, notification limits, search behavior, and what HIBP will not show you.
Privacy Policy
Official details on what the service stores, what it does not store, and how it handles searches, notifications, and password checks.
Pwned Passwords
Official page for the password corpus, password-reuse context, API access, and offline download options.
API Documentation
Official technical documentation for email search, k-anonymity queries, domain search, stealer-log endpoints, and Pwned Passwords.
