Data Breach Checker

Check if your email address or password has appeared in a known data breach. Email lookups use the Have I Been Pwned API over HTTPS. Password checks use k-Anonymity β€” only 5 characters of a SHA-1 hash are ever sent, so your actual password is never transmitted.

πŸ”’ Emails are queried via HTTPS to the Have I Been Pwned API. No email is stored by PassFortify.

Powered by Have I Been Pwned β€” created by Troy Hunt.

πŸ”’ How it works (k-Anonymity):
  1. Your password is hashed locally with SHA-1 in your browser.
  2. Only the first 5 characters of the hash are sent to the HIBP API.
  3. The API returns all hashes starting with those 5 characters.
  4. Your browser checks locally if your full hash appears in the list.
  5. Your actual password and full hash never leave your device.

What to do if you're in a breach

Finding your email in a breach doesn't mean your account is immediately compromised β€” but it means attackers have your credentials in their lists. Take these steps immediately:

  1. Change the password on every service listed in the breach results.
  2. Check for password reuse β€” if you used the same password elsewhere, change those too.
  3. Enable two-factor authentication (2FA) on affected accounts, especially email.
  4. Watch for phishing β€” breach data is often used to craft targeted phishing emails.
  5. Use a password manager to generate and store unique passwords for every account.

What is Have I Been Pwned?

Have I Been Pwned (HIBP) is a free service created in 2013 by security researcher Troy Hunt. It aggregates data from known data breaches β€” including passwords, email addresses, usernames, and other personal data β€” and provides a searchable database for individuals to check if their information has been exposed. As of 2026, it contains over 12 billion compromised accounts from thousands of breaches.

Frequently Asked Questions

Yes. The HIBP API is used by Firefox Monitor, 1Password, and major browsers. Queries are made over HTTPS. Your email is sent to look up whether it appears in breach data β€” this is the same mechanism trusted security tools use globally.

k-Anonymity ensures your full password hash is never transmitted. PassFortify computes a SHA-1 hash locally, sends only the first 5 characters to HIBP, receives a list of partial matches, and checks your full hash locally. The server never sees your password or its complete hash.

Change passwords for affected services immediately. If you reused that password elsewhere, update those accounts too. Enable 2FA wherever possible. Use our Password Generator to create unique, strong passwords for each account.

HIBP is continuously updated as new breaches are disclosed. Major breaches are typically added within days of public discovery. The database has grown from 300 million records in 2013 to over 12 billion as of 2026.

Have I Been Pwned is a free breach notification service by security researcher Troy Hunt. It aggregates data from known breaches and lets anyone check if their email or password was exposed. It's trusted by millions of users and integrated into major security products worldwide.