How to Know If You’re the Victim of a Data Dump

Find out if you have been pwned

Photo of haveibeenpwned.com site on a laptop, with person's fingers on keyboard

Worried that an account sign in or password might be leaked? You’re not alone. Many sites and services have experienced the unauthorized publication of account names, email addresses, and passwords.

Here are several ways to find out if your account login information is no longer private.

What Is a Data Dump?

The phrase "data dump" refers to the public release of sensitive data, such as when a account names, email address, and passwords are published online.

What Does PWNED Mean?

Pwned is a term that refers to being defeated. When your account name and password are known and released, you might say that the account has been pwned. (See "What Getting 'Pwned' Means and How to Use It Properly" for more details.)

Find Out If Your Accounts Have Been Hacked

  1. Verify with the breached site. Almost all responsible organizations will alert you directly of a data leak. Reputable sites and services typically notify account holders after a security breach is identified. Many services will require you to reset your password after a password breach.

    When you receive an alert from a company, go to the company’s website directly and look for news about a data breach. Don’t follow a link in an email notifying you of an account breach. Instead, open a browser, and type in the web address for the site. If your account information is public, there’s a chance an email you receive about a breach may be an attempt to obtain additional private information from you.

  2. Search for leaked credentials. Head on over to the haveibeenpwned.com site to check out the huge database of account addresses and passwords from publicly identified data dumps. The site only identifies if an account address or password is found within the data. It doesn’t provide any way to link the two. In other words, you can’t type in an email address and then see the paired password.

    Open a browser and go to https://haveibeenpwned.com/ and enter your email address. The system will show you data dumps that have included your email address and password. You should make sure you’ve changed your password for every site where your password has been made public.

    Screenshot of haveibeenpwned.com with the email search field shown
  3. Check to see if a password you use has been disclosed in public data sets. Again in your browser, go to https://haveibeenpwned.com/Passwords. You can either type in a password you use or, if you prefer, download a complete data file with all publicly available passwords.

    Screenshot of password search at haveibeenpwned.com site, showing field to enter password empty

    When you type in a password, the system will provide the number of times that password has been found in public data dumps. For example, that password “mypassword” has been listed 38,621 times. If you type a password that has not yet been disclosed, you’ll see a notice that the password you typed has not yet been indexed on the haveibeenpwned.com site.

    If you discover that a password you use has been included in a data dump, change that password. If you use the same password for multiple sites (pro tip: do not do this), you should change the password to a unique password in every case.

  4. If you use the Chrome browser on a laptop or desktop, install the Google Password Checkup extension. This extension alerts you when it detects that your password and account name match information that is known to be public.

    Screenshot of Google Password Checkup Chome extension installation page with
  5. Use a password manager. Seriously, it's the best way to improve the security of your account passwords and receive breach alerts. Password management services require that you use a strong password to access the password management service, but then the services create long, random strings of characters, numbers, and symbols to use as passwords. These randomly-generated password are typically much more secure than passwords normal people might choose and remember.

    Screenshot of 1Password Watchtower service, with field to enter a website to check for breaches

    Some password management software services will notify you when they discover your email address in a public data dump. For example, both 1Password and Dashlane will notify you when your account information is discovered in a data dump. These services actively monitor data breaches and use secure methods to compare your encrypted and stored credentials against public available data sets.

    Screenshot of Dashlane's Dark Web Monitoring and Personalized Alerts feature description, showing security alerts for Delta.com and Bestbuy.com
  6. That's it! Now you know whether your account credentials are public or private.