Does the tool log my email?

No. The proxy that forwards the lookup is configured not to log inputs.

Where does the data come from?

Have I Been Pwned (haveibeenpwned.com), the canonical public breach index maintained by Troy Hunt.

What does no result mean?

It means the address is not in the public HIBP index. It does not mean the address has not been exposed; private breaches and credential-stuffing lists are not always indexed.

What should I do if I have a hit?

Rotate the password on the affected services (especially if you re-used it elsewhere), turn on multi-factor authentication, and review your account-recovery email.

Why use a proxy instead of calling HIBP directly?

HIBP requires an API key. The proxy keeps the key server-side and standardizes the privacy contract.

Why hash the email locally?

It limits the surface area: anyone with packet capture between the browser and the proxy sees only the SHA-1 hash. The proxy still needs the address to query HIBP, but the hashing demonstrates the privacy intent.

Email Breach Lookup: Have I Been Pwned Account Check

Privacy disclaimer. Your email is SHA-1 hashed locally before any request. The proxy that forwards the lookup to Have I Been Pwned does not log inputs. We do not store, queue, or analyze the address.

All calculations happen in your browser. We don’t store inputs.

How it works.

You enter

An email address you control or want to audit.

We compute

We hash the address with SHA-1 in your browser. The lookup runs through our proxy to Have I Been Pwned. The proxy does not log inputs.

You learn

A list of public breaches the address appears in, with breach name, date, and the categories of data exposed.

You enter

Run this on your work email, your personal email, and any address you use for sensitive accounts.

We compute

For each match, you see the breach name, date, and the data classes exposed (passwords, addresses, phone numbers, IPs).

You learn

A list of credentials to rotate and a clear sense of which accounts to lock down with multi-factor.

You enter

You can also run this on a senior team member or family member with their consent.

We compute

Have I Been Pwned only indexes publicly disclosed breaches. The full universe of credential exposure is larger.

You learn

A starting list of cleanups, not a complete picture.

What this tool isn’t.

This is a starting check, not a complete audit. Have I Been Pwned indexes public breaches; private breaches, undisclosed compromises, and credential-stuffing lists circulating in the wild are not always represented. A clean result here does not mean an address is safe; it means it is not in the public index. The reverse is also true: an address that shows in a 2018 breach is not actively being attacked right now, just exposed historically. The right follow-up to a hit is to rotate the password (especially if it was re-used elsewhere), turn on multi-factor authentication on the affected service, and check whether the address still belongs to you. We do not store the address you entered. We do not log it. The proxy that forwards the request to Have I Been Pwned is configured not to log inputs.