How do I check if my email was in a breach?

The most widely used tool is Have I Been Pwned (haveibeenpwned.com), which maintains a database of public breach data. Type your email and the site shows which breaches contained the address. Other tools include Mozilla Monitor, Firefox Monitor, and the Pwned Passwords API for password-specific checks.

What does it mean if my email is in a breach?

It means the address (and often a hashed or plaintext password) was leaked from a service you used. The leak makes the address known to attackers, who use it for credential stuffing, targeted phishing, and inclusion in spam lists. The risk depends on what else leaked and whether you have reused the leaked password elsewhere.

How many breaches is normal?

Most professional addresses appear in 5-15 breaches over a typical career. Major breaches (Adobe, LinkedIn, Dropbox, Yahoo, Equifax, etc.) collectively cover most working adults. Being in breaches is the default state, not an anomaly.

What should I do after a breach?

Three things. First, change the password for the breached service. Second, change passwords on any other service where you reused that password. Third, enable hardware-key MFA on the breached account if available. Fourth, treat that address as compromised for spam-volume purposes (the address is now in spam list circulation).

Does a cover charge help with post-breach spam?

Indirectly. A breached address often ends up in spam list circulation, which produces sustained cold-outreach volume. The cover charge gate filters unknown senders structurally, regardless of how they got the address. The volume drops because the senders cannot profitably blast a leaked address at four cents per recipient.

Data Breach Lookups: Was Your Email Leaked?

Most professional addresses are in at least one breach. Here are the tools to check, what the results actually mean, and what to do about exposure.

Most professional addresses are in at least one data breach. Some are in many. The breach landscape is so pervasive that being in a breach is the default state for working adults, not an anomaly. This post is about the lookup tools, what the results actually mean, and what to do about exposure that you almost certainly already have.

The Lookup Tools

The widely used services for checking breach exposure.

Have I Been Pwned (HIBP). Run by security researcher Troy Hunt. Maintains a database of public breach data covering 12+ billion records across 600+ breaches. Free to query. Returns the list of breaches your address appeared in along with the data types exposed (email, password hash, full name, address, etc.).

Mozilla Monitor (formerly Firefox Monitor). Mozilla’s wrapper around HIBP data. Adds optional ongoing monitoring (notifies you when your address appears in new breaches).

Pwned Passwords. HIBP’s password-specific API. Lets you check whether a specific password has appeared in any breach. Useful for verifying password hygiene without uploading the password to a third party (the API uses a k-anonymity model for privacy).

Identity Theft Resource Center. US-focused. Tracks breach incidents and offers victim resources. Less directly searchable than HIBP.

Dehashed. Paid service. Aggregates more breach data than HIBP, including some breaches HIBP does not cover. Useful for security research; overkill for individual lookups.

Spycloud. Enterprise breach intelligence. Used by security teams to monitor employee exposure. Not for individual use.

For most individual users, HIBP or Mozilla Monitor is sufficient. The broader services are for security professionals and researchers.

How HIBP Actually Works

The mechanism behind the most-used tool.

Aggregation. Hunt collects breach data from public dumps, security researcher disclosures, and other sources. Data is added when verified.

Query interface. Users submit an email address through the website or API. The service checks the database for matches and returns the breach list.

No password disclosure to user. HIBP does not show users their breached passwords. It shows which breaches included the address; users have to assume the worst about associated passwords.

Privacy model. HIBP does not log queries; the search is conducted with privacy. The k-anonymity password lookup never sees full password hashes.

Free and ad-free. Hunt has maintained the service as a community resource. Donations and a small commercial tier fund operations.

Breach inclusion criteria. Hunt is conservative about what counts. Verified breaches with substantial data exposure are included; unverified or minor incidents typically are not.

The result is a credible, widely cited resource that most security-conscious users have queried at some point.

What the Results Mean

When your address appears in a breach.

Your address is known to attackers. Once an address is in a public breach, it is in the credential databases used for credential stuffing, password spraying, and targeted phishing.

Associated data may also be known. Depending on the breach, additional data could include passwords (hashed or plain), full names, physical addresses, phone numbers, dates of birth, and security questions.

Spam volume increases. Breached addresses end up in spam list circulation. Mass-volume senders aggregate breach data into outreach databases.

Targeted attacks become possible. A combined dump of email plus password plus other personal data enables specific phishing pretexts. “I see you bought Y from Company X in 2020; here is a related offer.”

The risk is asymmetric. A single breach is rarely catastrophic; multiple correlated breaches enable more sophisticated attacks. A breach with email plus password is more dangerous than one with email alone.

Stale breaches still matter. A breach from 2014 with your email and a password you have since changed still helps attackers. The address is still circulating; the password might still be reused on other accounts.

What to Do When You Find a Breach

The practical response.

Step 1: Change the password for the breached service. If you still have the account. If the service is no longer active, the password change is moot.

Step 2: Change passwords for any service where you reused the breached password. Critical step. Credential stuffing relies on password reuse. If you used the same password across services, an attacker who has it from one breach can try it everywhere.

Step 3: Enable hardware-key MFA on the breached account. Where available. Yubikey or similar hardware keys defeat credential-only attacks.

Step 4: Enable monitoring. Sign up for HIBP notifications or Mozilla Monitor so you learn about future breaches affecting your address quickly.

Step 5: Treat the address as compromised for cold outreach purposes. The address is now in spam list circulation. Volume from cold senders will be higher than for non-leaked addresses.

Step 6: Consider rotating the address for high-value accounts. For accounts that matter (banking, primary email, financial services), consider migrating to a fresh address. Disruptive, but reduces correlation between leaked credentials and your active accounts.

We covered the broader account-recovery hygiene at account recovery abuse and the credential phishing implications at MFA doesn’t stop phishing: here is what it does.

Why Most People Are in Multiple Breaches

The cumulative exposure landscape.

Major breaches affect billions of users. Yahoo (3 billion users), Adobe (153 million), LinkedIn (700 million), Dropbox (68 million), Equifax (147 million), and dozens more cover most working adults.

Long-term internet users accumulate exposure. A user with 15+ years of online accounts has a near-certain probability of being in at least one major breach.

Service-specific breaches add up. Even if you only used a few services, those services have probably been breached at some point.

The breach rate keeps rising. New breaches happen continuously. The cumulative count grows over time.

For a typical knowledge worker, being in 5-15 breaches is normal. The question is not “have I been breached” but “which breaches and what data was exposed.”

What Breach Exposure Actually Costs

The realistic risk distribution.

For most users, the immediate cost is low. Spam volume increases. Phishing attempts may get more targeted. Credential stuffing may try your address against various services. None of this is catastrophic if password hygiene and MFA are in place.

For users with weak password practices, the cost can be significant. Reused passwords across services enable cascading account takeover. Once one account is compromised, others fall through password reuse and account-recovery abuse.

For high-value targets, the cost is asymmetric. Executives, journalists, attorneys, and others with sensitive information face targeted attacks that combine breach data with social engineering.

For most users, the cost is manageable with basic hygiene. Hardware-key MFA + password manager + breach monitoring + structural inbox filtering covers most of the realistic risk.

Why Breach Lookups Are Worth Doing Anyway

Even if you assume you are in many breaches, the lookup is useful.

Specific information about which breaches. Knowing the dates and data types helps you assess what is at risk.

Identifies password reuse risk. If a recent breach included a password and you reused that password elsewhere, knowing accelerates the cleanup.

Validates that monitoring is working. Periodic checks confirm you are not missing something.

Triggers appropriate response. New breaches in your account warrant the password change + MFA review. Without lookup, you might not know.

Complements broader security practices. Combined with password manager review and MFA enrollment, breach awareness produces meaningful improvement in security posture.

How a Cover Charge Filter Affects Post-Breach Volume

The structural property.

A breached address is in spam list circulation. Cold senders with broad lists will email it. The volume from this category increases after a breach.

The cover charge filters unknown senders. Whether the sender got your address from a breach, from a data broker, or from any other source, the cover charge gate applies.

Mass-volume senders cannot profitably blast a leaked address. Four cents per recipient breaks the unit economics of broad cold outreach campaigns.

Targeted senders can still reach you. A genuine sender who happens to have your address from a public source pays the cover charge.

The filter is independent of breach exposure. The address being known to attackers does not weaken the structural filter. The economics that drive cold-outreach volume break the same way regardless of how the sender acquired the address.

A Specific Honest Note

Most professional addresses are in at least one breach. Being in breaches is the default state, not an anomaly. The lookups (HIBP, Mozilla Monitor) are useful for knowing the specific exposure, but the cleanup work (password changes, MFA enrollment, monitoring) matters more than the lookup itself.

The structural inbox impact of a breach is increased volume from senders who acquired your address through breach data and broker propagation. The cover charge gate addresses this by changing the economics, regardless of how the senders found you.

For the related guides, see why am I getting so much spam, account recovery abuse, MFA doesn’t stop phishing: here is what it does, and email senders who buy your address: how they got it. For the broader frame, see what is an email paywall and the threat model of an average knowledge worker. Rythm is $1.65 per month, cancel anytime.