← All guides

How to find out if your passwords have already leaked

Billions of passwords are in public breach dumps. Checking whether yours are included takes five minutes and is probably the highest-value security errand there is.

5 min read · Reviewed July 2026

Ad space (header)

Data breaches aren’t rare events. Billions of account records are sitting in dumps traded openly online — collected from breached sites over the past decade and reused by attackers daily. The question isn’t whether any of your old passwords leaked. Statistically, some did. The question is which ones, and whether you still use them anywhere.

The check itself

Go to haveibeenpwned.com — the standard, widely trusted breach index run by a well-known security researcher — and enter your email address. You’ll get a list of known breaches that included your address, along with what leaked: passwords, phone numbers, and so on. Do it for every email you use. Old addresses count; attackers don’t care that you stopped checking that inbox in 2016.

Most password managers also run this check continuously against your stored passwords and alert you when one shows up in a new dump. If yours has the feature, turn it on. That converts a one-time errand into a standing alarm.

What to do with the results

Triage, don’t panic. A password that leaked from a site you used once in 2015 matters only if you reused it. That’s the real damage model: attackers take leaked email-password pairs and try them on email providers, banks, and shops automatically. So: change the leaked password anywhere it was reused, starting with email and money. If the breach included the password for an account you still use, change that account even if it wasn’t reused.

And if the same weak password shows up in multiple breaches, treat that as the message it is — retire it everywhere, permanently. Generate replacements instead of inventing them; the generator on our homepage exists for exactly this cleanup.

Make it boring and recurring

Do the check once a quarter or after any big breach hits the news. Five minutes, calendar reminder, done. Security that actually happens beats security you meant to get around to.

Written and maintained by the Password Generator team. Reviewed July 2026.

Ad space (footer)