Your Password Has Probably Been Leaked. Here's How To Check Without Trusting a Random Tool

Credential-stuffing attacks work like this: a leaked database from one site (LinkedIn 2012, Adobe 2013, Collection #1 in 2019, dozens since) gets compiled with every other leaked database into lists of billions of email + password pairs. Bots try every pair against every login they can find. If you reused a password anywhere, a breach against one site eventually becomes a breach against all of them.

Troy Hunt's Have I Been Pwned (HIBP) aggregates these leaks into a searchable corpus of over 11 billion credentials. The corpus is free and public. The challenge: checking whether your password is in there without typing your real password into a stranger's website.

The Password Breach Check uses HIBP's k-anonymity API. Your password never leaves your browser.

How k-anonymity works

• Your browser SHA-1 hashes your password locally. The hash is 40 hex characters.
• We take the first 5 characters of the hash. That's the "prefix."
• We send only those 5 characters to the HIBP API.
• HIBP returns all known-leaked hashes that start with those 5 characters. Typically a few hundred results.
• Your browser compares each one against the remaining 35 characters of your full hash.
• If any match, your password is in the corpus. With a count of how many breaches.

At no point does your plaintext password, full hash, or any identifier go anywhere. HIBP can't tell which password you checked. The tool can't store it. The 5-character prefix is shared by thousands of unrelated passwords.

This is the gold standard for password-check tools. If a tool asks for your full password without explaining k-anonymity, don't trust it.

What the count actually means

• Count = 0. Your password hasn't been seen in any known leak. That doesn't mean it's strong — just that it hasn't been publicly dumped yet. Long random passwords from a password manager are still the baseline.
• Count = 1 to 50. Your password has been seen but is rare. Still change it; you can't tell whether one of those 50 leaked instances was yours.
• Count = 100+. Your password is common enough to be in dictionary-attack priority lists. Credential-stuffing bots will try it first against every service.
• Count = 1,000,000+. Passwords like "password123" or "qwerty" fall here. Never use these.

The SMB owner playbook

Run the check quarterly against every password you use for business-critical accounts:

1. Business email (Google Workspace, Microsoft 365).
2. Domain registrar (GoDaddy, Namecheap, Cloudflare Registrar).
3. Hosting / CDN (Netlify, Vercel, Cloudflare, AWS).
4. Payment processor (Stripe, Square, PayPal).
5. Accounting (QuickBooks, Xero).
6. CRM (HubSpot, Salesforce).
7. Email marketing (Mailchimp, ConvertKit, Postmark).
8. Banking (all of them, including business checking + savings).

For any that come back with a non-zero count: change the password immediately and enable 2FA. If the same password is used on any other account you own, change those too.

The email address side

HIBP also lets you check whether an email address has been in any known breach. That flow needs a direct visit to the HIBP website — they require email verification to prevent abuse. The tool links to HIBP's email-check page so you can check your business addresses.

If an email address comes back flagged, the report will list the breaches it was in. Any password you used on those services needs to be considered burned, along with anywhere you reused it.

What to do if you find a breach

1. Change the password on the breached service. Generate a new one with a password manager. At least 20 characters, random.
2. Enable 2FA on that service. Hardware key (YubiKey, Yubico Security Key, Titan Key) is strongest. Authenticator app (Aegis, Authy, 1Password, Bitwarden) is strong. SMS is better than nothing but vulnerable to SIM swap.
3. Find every other service where you reused that password. Most password managers have a "reused passwords" audit built in. 1Password Watchtower, Bitwarden Password Health, iCloud Keychain Security Recommendations.
4. Change each one. No exceptions for "it's just my Netflix."
5. Review recent activity on the breached service. Logins from unknown IPs, password reset attempts, new devices, forwarding rules on email accounts (the common post-breach escalation is mail forwarding so the attacker sees all future password resets).

A password manager is the baseline

The k-anonymity check is useful. A password manager that generates unique 20-character passwords for every service eliminates the need to check, because you'll never reuse anything and a breach on one service can't cascade. 1Password, Bitwarden, iCloud Keychain, Dashlane, Keeper all do this. Pick one and use it on every device.

Related reading

• Trademark Pre-Screen — adjacent small-business pre-launch check
• PCI SAQ-A Eligibility — related security posture for ecom SMBs
• DNS + Email Authentication Audit — SPF / DKIM / DMARC + RBL check

Fact-check notes and sources

• Have I Been Pwned (HIBP) operated by Troy Hunt. Pwned Passwords v8 corpus as of 2025.
• HIBP's k-anonymity API documentation at https://haveibeenpwned.com/API/v3
• NIST SP 800-63B password-length recommendations.

This post is informational, not security-consulting or identity-theft-protection advice. HIBP is a separately-operated service; mentions are nominative fair use. Never enter passwords into tools you don't trust. If a service is breached, the affected provider is obligated (in many jurisdictions) to notify you — but notifications often lag real-time; checking HIBP is the faster path.