Online Tools Guide

view all online saas tools guides

Haveibeenpwned: What Is It & Is It Safe?


Many of us have been affected by data breaches at one time or another, including the British Airways breach in 2018 and the recent Facebook breach. Modern life is so complicated that almost all of us will be affected by a hack at one point or another.

It’s important not to panic if one of your online accounts is hacked. This is often called being “pwned.” You can quickly assess the extent of the damage to your account and take control of it by following a few steps.

Data leaks are a common side effect of our internet-connected world. These are often not due to you, the user being negligent. Data breaches can be embarrassing for companies, whether they are the result of server hacking, human error, or employee misconduct.

Companies are required to promptly report data breaches. These reports, along with analysis of the hacked data made available online and the work done by so-called ‘white hat (good guy) hackers, mean that there are resources available to help you determine if any of your accounts were compromised in a hack.

What Is “Have I Been Pwned?”

Have I Been Pwned ( ) is a free service that lets you search multiple data breaches in one click to see if your data is among them. You can take steps to minimize the damage. Troy Hunt, the creator of this site, stated that he does not believe in changing passwords that have been leaked, but he feels that you should be aware.

This site frequently receives large-scale data breaches and adds them to its database. Each time there is a breach, the Have I Been Pwned database will be updated. This database allows you to check if your email address has been compromised in one of the largest breaches.

Hunt’s December 2013 blog posting announcing “Have I Been Pwned” states that the website was created on Hunt’s flight from TechEd New Zealand in 2013. It was built after he landed. It initially covered only the Adobe breach, which Hunt had just announced while he was on vacation. But Hunt quickly expanded its coverage to include other breaches.

Is It True That “Have I Been Pwned” Is Legit?


HIBP has been around for almost a decade. It has proven to be an indispensable tool for internet users every day, government officials, and other organizations.

You read it right: governments. HIBP has assisted governments such as the UK and Australia (to name a few) in monitoring for breaches within government domains. The cybersecurity arms of these governments are responsible for central monitoring, including the National Cyber Security Centre for the UK and the Australian Cyber Security Centre for Australia, and CERT-RO in Romania. These organizations cannot query websites other than those belonging to the government.

Hunt stated that they only have access to domains that their employees could query via the free domain search model. He also explained this in a 2018 blog post that has more information.

Hunt is the only person responsible for HIBP and does not have a team. Hunt is well-respected and highly trusted in the cybersecurity community. He also runs the service with maximum transparency.

Is “Have I Been Pwned” Safe To Use?

If you are more privacy-conscious and don’t like websites spying on your queries when you use their search engine, it is understandable that you might be worried about whether HIBP can snoop on or, worse, record every query.

The HIBP FAQ page states that the website does not log any data. Only Google Analytics and Application Insights performance monitoring log any data. Any diagnostic data implicitly collected in case of an exception to the system is also logged.

Hunt spoke out about Project Svalbard in 2019. He was a familiar name to those who were involved with the future development of Have I Been Pwned. Hunt had intended to transfer HIBP management to a “better resourced and better-funded structure” once he realized he would eventually burn out. This news could have been alarming for many who have relied on the site over the years, as there is always the possibility of the site being monetized and/or misused by the new owners of HIBP.

Hunt wrote a lengthy and thoughtful piece on Project Svalbard at the time. It included his seven-point commitments to the future HIBP. Here’s the short version:

  • Consumer searches should be freely accessible.
  • Troy Hunt (I) will continue to be a part of HIBP.
  • I would like to have even more capabilities.
  • I would like to reach a wider audience than I currently do.
  • Consumer behavior can be changed more easily.
  • HIBP can be a great benefit for organizations.
  • More disclosure and data are needed.

However, things changed in March 2020. The sale of HaveIBeenPwned was stopped due to unanticipated developments. Hunt wrote

“Have You Been Pwned” is no longer being sold. I will still run it. “

How To Use I Have Been Pwned

It’s one of many ways you can protect yourself online. Visit their website at and type your email address into the search box. The program will search the Have I Been Pwned database to determine if it matches.

You can also check whether your password information has been leaked using Have I Been Pwned. Click on the “Passwords tab” in the navigation bar. Next, enter any password that you suspect has been spread. The system will then check their database.

A list of data leakages that have occurred in companies is also available. You can also click on the “Who has been pwned?” tab in the navigation menu to see a list of organizations and the extent of the leak.

Apart from providing active checks, Have You Been Pwned also offers a passive service. Sign up to receive alerts. You can subscribe to the site’s updates and receive an email whenever new information regarding a data security breach that may affect you is available. These notifications don’t come immediately, however. It can take several days to notify the public, but it is usually done before any personal data is made public.

What To Do If You’ve Been Pwned?

It’s possible to recover personal information if it is leaked. It’s impossible for you to change the information once it’s been out there. However, there are steps you can take to protect yourself against identity theft.

Update your passwords. Hunt doesn’t believe that passwords should be changed after you have met them, but I think it is a good first step. To ensure that only one login is able to unlock all your accounts, use a unique and strong password. This sounds complicated? Consider using a Password Manager such as NordPass, LastPass, or LastPass to help you keep track.

You can increase your account security. Two-factor authentication (2FA) can be set up for all accounts. This works by requiring you to enter an additional code each time you log in from a different device or location. Hackers can’t hack into your account with 2FA.

Contact the affected service. For more information, visit the website of the company affected by the breach. Information about how to find out if your data has been leaked should be posted by the company. The company should also provide information about what next steps to take. You can reach out to the company via social media if their website does not provide any guidance.

Keep an eye out for suspicious activity. Check your financial statements and credit reports regularly for sudden changes. Notify your bank immediately if you notice something that you don’t know. Reputable companies such as Equifax, Experian, and TransUnion also offer credit monitoring services.

Where “Have I Been Pwned” Get Its Information

Have I Been Pwned is based on an automated parsing and manual curation by Hunt for other breaches not found in the publicly searchable data dumps.

Although there are many sources, they all fall within the same category. The Anti Public Combo List was his original source. It was compiled from many sources and was published in December 2016. This breached account contained more than 562,000,000 unique email addresses and passwords.

Hunt also used data from other websites, such as This is where people can share their exploits and post links to data dumps or torrents of stolen data.

Final Thoughts On “Have I Been Pwned”

The important public service gap left by governments and corporations is filled with Have I Been Pwned. A company that discloses a data breach could expose itself to lawsuits from customers or shareholders.

There are no laws in most countries that require companies to inform the public about data breaches. Customers who don’t realize their personal information has been compromised could be at risk of being victims of identity theft and fraud.


Leave a Comment

Your email address will not be published. Required fields are marked *

This div height required for enabling the sticky sidebar