Was my email address in a data breach?
Online Safety Guide · Digital Confidence Centre
What is a data breach?
A data breach happens when a company's computer system is broken into and people's private information gets stolen. The stolen information might include email addresses, passwords, phone numbers, or credit card numbers.
Breaches happen to large companies you may recognise, such as banks, stores, social media sites, and email providers. It is not your fault if your information was involved in a breach. The responsibility is on the company whose system was broken into.
Why should I check?
If your email and password were stolen in a breach, criminals may try to log in to your other accounts using that combination. This is called "credential stuffing." Checking lets you know whether you need to change any passwords.
How to check your email address
The most trusted tool for this is called Have I Been Pwned? (pronounced "poned"). It was created by a security researcher named Troy Hunt and is used by governments and security organisations worldwide, including the Australian government and the FBI.
Enter your email address on the Have I Been Pwned website to see if it has appeared in any known data breach.
Check My Email →You will enter your email on the Have I Been Pwned website, not here. Digital Confidence Centre does not collect or see your email address. Have I Been Pwned does not store your email address; it only compares it to known breach records and shows you the result.
Powered by HaveIBeenPwned.com — free, trusted, widely usedHow to read the results
- Green screen ("Good news"): Your email was not found in any known breach. No action needed today, though it is still worth using strong, unique passwords.
- Red screen ("Oh no"): Your email was found in one or more breaches. The site will list which companies were involved and when. Follow the steps below.
If your email was found in a breach: what to do
- Change your password for the service listed in the breach. Even if the breach was years ago, change it now if you have not already.
- Check if you use the same password anywhere else. If so, change it on every account where you used it. Criminals will try the leaked password on popular sites like Gmail, Facebook, and online banking.
- Turn on two-step verification (also called two-factor authentication or 2FA) on your important accounts, especially email and banking. This adds a second step, such as a text message code, so even if a criminal has your password, they cannot get in.
- Watch for phishing messages. After a breach, you may receive fake emails or texts that pretend to be from the breached company. Never click links in unexpected messages. Go directly to the company's website by typing the address yourself.
Is Have I Been Pwned safe to use?
Yes. It is one of the most trusted security tools in the world. When you type your email, the site checks it against its database of known breaches without storing your email address. The site does not send you spam, and it does not sell your data.
It is also free. You do not need to create an account or pay anything to use the basic search.
Should I check all my email addresses?
Yes. If you have more than one email address, check each one separately. Breaches often affect older accounts that you may have forgotten about.