Skip to content
Breachroad
Back to the blog
Data breaches

Has my data leaked? How to check and what to do

Your passwords and data are almost certainly in some breach. How to check it safely, what a leak really means and what steps to take.

KR
Karol Rapacz
22 May 2026 · 9 min read
Has my data leaked? How to check and what to do

If you’ve used the internet for a few years, the probability that your email address and at least one password are in some data breach is close to certain. That’s not a sign you did something wrong — it’s the result of hundreds of break-ins to the services we use: shops, forums, apps. The good news is that you can check it in minutes, and knowing what leaked and where lets you protect yourself effectively. Here’s how to do it safely and what comes next.

What a “data breach” actually means

When a service where you have an account gets hacked, attackers steal its user database. It then flows to forums and marketplaces where other criminals buy it. A leak can include various things:

  • just the email address (not very dangerous on its own, but it helps phishing),
  • email + password — the most dangerous, because it enables credential stuffing: automatically trying that pair on hundreds of other services,
  • personal data (name, phone, address, ID number) — fuel for scams and identity theft,
  • card data or other sensitive information.

The biggest risk is password reuse. If you use the same password in many places, a leak from one unimportant service opens the attacker’s door to your email and bank.

How to safely check whether your data leaked

There are trusted, free tools that gather information about public breaches and let you check whether your address is in them:

  • Have I Been Pwned (haveibeenpwned.com) — the best-known service, run by a respected researcher. You enter an email and see which breaches it appeared in.
  • Password manager and browser alerts — most password managers and Chrome/Firefox warn you when your saved password appears in a known breach.

A safety rule: only check on reputable, well-known services, and never enter your password on a “breach-checking” page. Trusted tools ask at most for an email address (or check the password locally, without sending it). A page that asks for your password to “check whether it leaked” is itself a trap.

What to do when your data is in a breach

Don’t panic — act methodically:

1. Change the password on the leaked service — and everywhere else you used the same or a similar one. This is the most urgent step, because it blocks credential stuffing.

2. Set unique passwords everywhere. The most effective defence against the consequences of leaks is a different, random password for each service. You can’t memorise that — so use a password manager to generate and remember them for you.

3. Enable MFA on key accounts. Even if a password leaked, a second factor stops most login attempts. Priority: email, bank, social media.

4. Watch for a phishing surge. After a personal-data leak you may get convincing-looking messages (they know your name, number, recent purchases). That doesn’t mean you’re talking to a real company — stay alert.

5. For sensitive-data leaks (ID number, card data) consider extra steps: a credit freeze / identity theft protection, and for a card — replacing it.

Why this will keep happening

Leaks are inevitable, because you don’t control the security of every service where you create an account. You can’t “clean up once” and be done. The realistic strategy is to minimise the impact: since leaks will happen, make sure a single leak doesn’t cascade to other accounts. You achieve that with three habits: unique passwords (a password manager), MFA wherever possible, and periodically checking whether your address appeared in a new breach.

Frequently asked questions (FAQ)

Is entering my email in Have I Been Pwned safe? Yes — it’s a reputable, widely trusted service run by a respected security researcher. It checks only the email address and doesn’t ask for a password. Avoid random “breach checker” pages that demand you enter a password.

My email is in several breaches — is that a disaster? Not necessarily. An address being in a breach is the norm today. The key question is: do you use the same password in many places? If so — change it to unique ones. If you have different passwords and MFA, the impact of a single leak is limited.

How often should I check whether data leaked? More conveniently than manually: enable alerts in your password manager and browser, and in Have I Been Pwned you can register an address for automatic alerts. Then you’ll learn about a new leak immediately, without remembering to check.

After a leak, do I have to change all passwords at once? As a priority, change the password on the leaked service and everywhere it was the same. You can tidy up the rest gradually, moving to unique passwords from a manager. The key is closing the domino effect — reused passwords.

I run a company — how do I check for leaked corporate addresses? It’s worth monitoring whether addresses on your domain appear in leaks (Have I Been Pwned offers domain monitoring), because stolen corporate credentials are a common route into the network — including via infostealers. In an audit we check this area among others. Get in touch.

Summary

Your data is almost certainly in some breach — and that’s not your fault but the result of break-ins to services you use. You can check it in minutes with a trusted tool (never entering a password). What matters isn’t the awareness itself but the response: unique passwords from a manager, MFA on your most important accounts and vigilance against phishing. Those three habits turn the next leak into a minor event, not the start of an account takeover.


Sources and further reading: Have I Been Pwned, CISA.

Share this article

Services Book a consultation