Have I Been Pwned: FAQs (2023)

Table of Contents
What does "pwned" mean? What is a "breach" and where has the data come from? Are user passwords stored in this site? Can I send users their exposed passwords? Is a list of everyone's email address or username available? What about breaches where passwords aren't leaked? How is a breach verified as legitimate? What is a "paste" and why include it on this site? My email was reported as appearing in a paste but the paste now can't be found My email was not found — does that mean I haven't been pwned? How does HIBP handle "plus aliasing" in email addresses? How is the data stored? Is anything logged when people search for an account? Why do I see my username as breached on a service I never signed up to? Why do I see my email address as breached on a service I never signed up to? Can I receive notifications for an email address I don't have access to? Does the notification service store email addresses? Can a breach be removed against my email address after I've changed the password? What email address are notifications sent from? How do I know the site isn't just harvesting searched email addresses? Is it possible to "deep link" directly to the search for an account? How can I submit a data breach? What is a "sensitive breach"? What is a "retired breach"? What is an "unverified" breach? What is a "fabricated" breach? What is a "spam list"? What is a "malware" breach? What does it mean if my password is in Pwned Passwords? I searched for my email address on HIBP and then I was hacked, what gives?! It's a bit light on detail here, where can I get more info? FAQs Videos

What does "pwned" mean?

The word "pwned" has origins in video game culture and is a leetspeakderivation of the word "owned", due to the proximity of the "o" and"p" keys. It's typically used to imply that someone has been controlled orcompromised, for example "I was pwned in the Adobe data breach". Read more abouthow "pwned" went from hacker slang to the internet's favourite taunt.

What is a "breach" and where has the data come from?

A "breach" is an incident where data is inadvertently exposed in a vulnerablesystem, usually due to insufficient access controls or security weaknesses in the software.HIBP aggregates breaches and enables people to assess where their personal data has beenexposed.

Are user passwords stored in this site?

When email addresses from a data breach are loaded into the site, no corresponding passwordsare loaded with them. Separately to the pwned address search feature, the Pwned Passwordsservice allows you to check if an individual password has previously been seen in a databreach. No password is stored next to any personally identifiable data (such as an emailaddress) and every password is SHA-1 hashed (read why SHA-1 was chosen in the Pwned Passwords launch blog post.)

Can I send users their exposed passwords?

No. Any ability to send passwords to people puts both them and myself at greater risk. Thistopic is discussed at length in the blog post on all the reasons I don't make passwords available via this service.

Is a list of everyone's email address or username available?

The public search facility cannot return anything other than the results for a singleuser-provided email address or username at a time. Multiple breached accounts can beretrieved by the domain search feature but only aftersuccessfully verifying that the person performing the search is authorised to access assetson the domain.

What about breaches where passwords aren't leaked?

Occasionally, a breach will be added to the system which doesn't include credentials for anonline service. This may occur when data about individuals is leaked and it may notinclude a username and password. However this data still has a privacy impact; it is datathat those impacted would not reasonably expect to be publicly released and as such they havea vested interest in having the ability to be notified of this.

How is a breach verified as legitimate?

There are often "breaches" announced by attackers which in turn are exposed ashoaxes. There is a balance between making data searchable early and performing sufficient duediligence to establish the legitimacy of the breach. The following activities are usuallyperformed in order to validate breach legitimacy:

(Video) Have I been Pwned and What to do if you have been in a data breach

  1. Has the impacted service publicly acknowledged the breach?
  2. Does the data in the breach turn up in a Google search (i.e. it's just copied from another source)?
  3. Is the structure of the data consistent with what you'd expect to see in a breach?
  4. Have the attackers provided sufficient evidence to demonstrate the attack vector?
  5. Do the attackers have a track record of either reliably releasing breaches or falsifying them?

What is a "paste" and why include it on this site?

A "paste" is information that has been "pasted" to a publicly facingwebsite designed to share content such as Pastebin. Theseservices are favoured by hackers due to the ease of anonymously sharing information andthey're frequently the first place a breach appears.

HIBP searches through pastes that are broadcast by the accounts in the Paste Sources Twitter listand reported as having emails that are a potential indicator of a breach. Finding an emailaddress in a paste does not immediately mean it has been disclosed as the result ofa breach. Review the paste and determine if your account has been compromised then takeappropriate action such as changing passwords.

My email was reported as appearing in a paste but the paste now can't be found

Pastes are often transient; they appear briefly and are then removed. HIBPusually indexes a new paste within 40 seconds of it appearing and stores the emailaddresses that appeared in the paste along with some metadata such as the date, title andauthor (if they exist). The paste itself is not stored and cannot be displayed if it nolonger exists at the source.

My email was not found — does that mean I haven't been pwned?

Whilst HIBP is kept up to date with as much data as possible, it contains buta small subset of all the records that have been breached over the years. Many breaches neverresult in the public release of data and indeed many breaches even go entirely undetected."Absence of evidence is not evidence of absence" or in other words, just becauseyour email address wasn't found here doesn't mean that is hasn't been compromised in anotherbreach.

How does HIBP handle "plus aliasing" in email addresses?

Some people choose to create accounts using a pattern known as "plus aliasing" in their emailaddresses. This allows them to express their email address with an additional piece of datain the alias, usually reflecting the site they've signed up to such as test+netflix@example.comor test+amazon@example.com. There is presently a UserVoice suggestionrequesting support of this pattern in HIBP. However, as explained in that suggestion, usageof plus aliasing is extremely rare, appearing in approximately only 0.03% ofaddresses loaded into HIBP. Vote for the suggestion and follow its progress if this featureis important to you.

How is the data stored?

The breached accounts sit in Windows Azure table storage which contains nothing more than the emailaddress or username and a list of sites it appeared in breaches on. If you're interested inthe details, it's all described in Working with 154 million records on Azure Table Storage – the story of Have I Been Pwned

Is anything logged when people search for an account?

Nothing is explicitly logged by the website. The only logging of any kind is via GoogleAnalytics, Application Insightsperformance monitoring and any diagnostic data implicitly collected if an exception occurs inthe system.

(Video) Have I Been PWNED & How It Works

Why do I see my username as breached on a service I never signed up to?

When you search for a username that is not an email address, you may see that name appearagainst breaches of sites you never signed up to. Usually this is simply due to someone elseelecting to use the same username as you usually do. Even when your username appears veryunique, the simple fact that there are several billion internet users worldwide means there'sa strong probability that most usernames have been used by other individuals at one time oranother.

Why do I see my email address as breached on a service I never signed up to?

When you search for an email address, you may see that address appear against breaches ofsites you don't recall ever signing up to. There are many possible reasons for this includingyour data having been acquired by another service, the service rebranding itself as somethingelse or someone else signing you up. For a more comprehensive overview, seeWhy am I in a data breach for a site I never signed up to?

Can I receive notifications for an email address I don't have access to?

No. For privacy reasons, all notifications are sent to the address being monitored so youcan't monitor someone else's address nor can you monitor an address you no longer have accessto. You can always perform an on-demand search of an address, but sensitive breacheswill not be returned.

Does the notification service store email addresses?

Yes, it has to in order to track who to contact should they be caught up in a subsequent databreach. Only the email address, the date they subscribed on and a random token for verificationis stored.

Can a breach be removed against my email address after I've changed the password?

HIBP provides a record of which breaches an email address has appeared in regardless ofwhether the password has consequently been changed or not. The fact the email address was inthe breach is an immutable historic fact; it cannot later be changed. If you don't wantany breach to publicly appear against the address, use the opt-out feature.

What email address are notifications sent from?

All emails sent by HIBP come from noreply@haveibeenpwned.com. If you're expecting an email(for example, the verification email sent when signing up for notifications) and it doesn'tarrive, try white-listing that address. 99.x% of the time email doesn't arrive in someone'sinbox, it's due to the destination mail server bouncing it.

How do I know the site isn't just harvesting searched email addresses?

You don't, but it's not. The site is simply intended to be a free service for people toassess risk in relation to their account being caught up in a breach. As with any website,if you're concerned about the intent or security, don't use it.

(Video) Have I Been Pwned - An essential security tool? Or a Trojan Horse?

Is it possible to "deep link" directly to the search for an account?

Sure, you can construct a link so that the search for a particular account happensautomatically when it's loaded, just pass the name after the "account" path.Here's an example:


How can I submit a data breach?

If you've come across a data breach which you'd like to submit, get in touch with me.Check out what's currently loaded into HIBP on the pwned websites pagefirst if you're not sure whether the breach is already in the system.

What is a "sensitive breach"?

HIBP enables you to discover if your account was exposed in most of the databreaches by directly searching the system. However, certain breaches are particularlysensitive in that someone's presence in the breach may adversely impact them if others areable to find that they were a member of the site. These breaches are classed as "sensitive"and may not be publicly searched.

A sensitive data breach can only be searched by the verified owner of the email addressbeing searched for. This is done via the notification systemwhich involves sending a verification email to the address with a unique link. When that linkis followed, the owner of the address will see all data breaches and pastes theyappear in, including the sensitive ones.

There are presently 48sensitive breaches in the system including Adult FriendFinder (2015), Adult FriendFinder (2016), Adult-FanFiction.Org, Ashley Madison, Beautiful People, Bestialitysextaboo, Brazzers, Carding Mafia (December 2021), Carding Mafia (March 2021), CrimeAgency vBulletin Hacks, CTARS, CyberServe, Doxbin, Emotet, Fling, Florida Virtual School, Freedom Hosting II, Fridae, Fur Affinity, Gab and 28 more.

What is a "retired breach"?

After a security incident which results in the disclosure of account data, the breach may beloaded into HIBP where it then sends notifications to impacted subscribers and becomessearchable. In very rare circumstances, that breach may later be permanently remove from HIBPwhere it is then classed as a "retired breach".

(Video) Has My Online Account Been Hacked - haveibeenpwned Tool Walkthrough

A retired breach is typically one where the data does not appear in other locations on theweb, that is it's not being traded or redistributed. Deleting it from HIBP provides thoseimpacted with assurance that their data can no longer be found in any remaining locations.For more background, read Have I Been Pwned, opting out, VTech and general privacy things.

There is presently 1retired breach in the system which is VTech.

What is an "unverified" breach?

Some breaches may be flagged as "unverified". In these cases, whilst there islegitimate data within the alleged breach, it may not have been possible to establishlegitimacy beyond reasonable doubt. Unverified breaches are still included in the systembecause regardless of their legitimacy, they still contain personal information aboutindividuals who want to understand their exposure on the web. Further background onunverified breaches can be found in the blog post titledIntroducing unverified breaches to Have I Been Pwned.

What is a "fabricated" breach?

Some breaches may be flagged as "fabricated". In these cases, it is highly unlikelythat the breach contains legitimate data sourced from the alleged site but it may still besold or traded under the auspices of legitimacy. Often these incidentsare comprised of data aggregated from other locations (or may be entirely fabricated), yetstill contain actual email addresses unbeknownst to the account holder. Fabricated breachesare still included in the system because regardless of their legitimacy, they still contain personal information about individuals who want to understand their exposure on the web.Further background on unverified breaches can be found in the blog post titledIntroducing "fabricated" breaches to Have I Been Pwned.

What is a "spam list"?

Occasionally, large volumes of personal data are found being utilised for the purposes ofsending targeted spam. This often includes many of the same attributes frequently found indata breaches such as names, addresses, phones numbers and dates of birth. The lists areoften aggregated from multiple sources, frequently by eliciting personal information from people with the promise of a monetary reward.Whilst the data may not have been sourced from a breached system, the personal nature of theinformation and the fact that it's redistributed in this fashion unbeknownst to the ownerswarrants inclusion here. Read more about spam lists in HIBP.

What is a "malware" breach?

Data breaches in HIBP aren't always the result of a security compromise of an online serviceand occasionally, data obtained by malware campaigns is also loaded. For example, the US FBI and Dutch NHTCU provided HIBP with data from the Emotet malware in April 2021.The risk posed to individuals in these incidents is different (their personal device may becompromised) hence the presence of this flag in HIBP.

What does it mean if my password is in Pwned Passwords?

If a password is found in the Pwned Passwords service, it means ithas previously appeared in a data breach. HIBP does not store any information about who thepassword belonged to, only that it has previously been exposed publicly and how many times ithas been seen. A Pwned Password should no longer be used as its exposure puts it at higherrisk of being used to login to accounts using the now-exposed secret.

(Video) Have I been Pwned and What to do if you have been in a data breach #hacked #scammed

I searched for my email address on HIBP and then I was hacked, what gives?!

First of all, searches are not logged so there's no collection ofaddresses. Any searches that are performed are done so over an encrypted connectionso nobody has access to the web traffic other than those hosting the HIBP services. Even ifthey did, it's only an email address and not enough to gain access to someone'sonline accounts. If Pwned Passwords has also been used to search fora password, it's anonymised before being sent to HIBP so even a search for both email addressand password doesn't provide a usable credential pair. Correlation does not imply causation;it's a coincidence.

It's a bit light on detail here, where can I get more info?

The design and build of this project has been extensively documented on troyhunt.comunder the Have I Been Pwned tag.These blog posts explain much of the reasoning behind the various features and how they've beenimplemented on Microsoft's Windows Azure cloud platform.


Should I be worried if I have been pwned? ›

If your email account has been pwned, criminals can set it to automatically forward your messages to the attacker and to send malware, phishing scams, or spam. So check your settings and see if you find anything alarming.

Is it safe to put your email in Have I Been Pwned? ›

Find out more here. To find out if your own email address has been affected by a data breach, head to the Have I Been Pwned website. You'll need to enter your email address here – don't worry, there's no security threat to doing so: the site is run by Troy Hunt, a highly respected figure in the security industry.

What happens if my password has been pwned? ›

Pwned Passwords are hundreds of millions of real world passwords previously exposed in data breaches. This exposure makes them unsuitable for ongoing use as they're at much greater risk of being used to take over other accounts.

Who is behind Have I Been Pwned? ›

Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for Internet users wishing to protect their own security and privacy. Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013.

Is my email on the dark web? ›

If your data is available on the dark web, one of the easiest ways to find out is to check the “Have I Been Pwned” (HIBP) website. It's a free service, and all you have to do is conduct a search using your email address or phone number.

How long before a breach is detected? ›

According to a new report by Blumira and IBM, the average breach lifecycle takes 287 days, with organizations taking 212 days to initially detect a breach and 75 days to contain it.

Can you get hacked by just opening an email? ›

This routine activity provides a gateway for malicious hackers to take control of your computer. By simply opening or clicking a link in an email you can have your passwords changed, bank accounts hacked and identity stolen.

What is the most pwned password? ›

According to NCSC list the five most commonly hacked passwords with the most users are:
  • 123456 (23.2 million users)
  • 123456789 (7.7 million users)
  • Qwerty (3.8 million users)
  • Password (3.6 million users)
  • 1111111 (3.1 million users)
2 Feb 2022

What happens if a scammer has your email address? ›

One of the major risks of scammers having your email address is that they'll use it to hack into your other online accounts. With your email address, they can request password resets, try entering your other passwords that have been leaked online, and even break into your email account.

Do people still use pwned? ›

People do still use the word online in its original meaning — just search for it on your preferred social media site — but, in truth, its popularity simply ebbed away in time. Such is the fate of most jargon, of course.

Did my phone get hacked? ›

A potential telltale sign that your phone has been hacked is the appearance of new apps that you didn't download, along with spikes in data usage that you can't account for. Likewise, if you see calls in your phone bill that you didn't make, that's a warning as well.

What are the first signs of being hacked? ›

How to know if you've been hacked
  • You get a ransomware message.
  • You get a fake antivirus message.
  • You have unwanted browser toolbars.
  • Your internet searches are redirected.
  • You see frequent, random popups.
  • Your friends receive social media invitations from you that you didn't send.
  • Your online password isn't working.

Can I check if my data has been breached? ›

The Better Business Bureau provides these tips to avoid Data Breach scams: Check to see if you've been affected. Visit the company website and watch your email for additional information on the breach. Oftentimes, the affected company will send emails to consumers that are impacted.

Can I get my info removed from the dark web? ›

Even though there's no way of removing your personal information from the dark web, once you know what information is exposed, you can take action to help protect yourself against identity theft.

Should I delete my email if it was found on the dark web? ›

Having your email exposed in a data leak is a good indication that it is present on the dark web. Unfortunately, if your email address has been compromised, there is nothing you can do to remove it from the dark web because it is impossible to track down the person responsible for it and ask them to remove your data.

Can I remove my email from dark web? ›

Unfortunately, once your info is on the dark web, there's nothing you can do to remove it. But you can beef up your personal data security to ensure that anyone who has that information won't pose a threat to you.

What do black hat hackers do? ›

A black hat hacker is typically one that engages in cybercrime operations and uses hacking for financial gain, cyber espionage purposes or other malicious motives, like implanting malware into computer systems.

How long do cyber attacks last? ›

As of the fourth quarter of 2021, the average length of interruption after ransomware attacks on businesses and organizations in the United States was 20 days.
Average duration of downtime after a ransomware attack from 1st quarter 2020 to 4th quarter 2021.
CharacteristicAverage length of interuption in days
Q1 202015
7 more rows
7 Jul 2022

How do you determine breach? ›

In order to collect on a breach of contract, you must be able to demonstrate that you have been harmed in some way. You must be able to show that, because of the other party's material breach of the contract, you will either lose money, lose some opportunity, or suffer some other identifiable harm.

Can someone hack your email without a password? ›

Your email account can act as a gateway into other accounts. The hacker can simply click “forgot password” at login and have a password reset link sent right to your email inbox, which they now control.

Can your phone get hacked by opening a text message? ›

Even before you open a message, the phone automatically processes incoming media files -- including pictures, audio or video. That means a malware-laden file can start infecting the phone as soon as it's received, according Zimperium, a cybersecurity company that specializes in mobile devices.

What happens if you accidentally open a spam text? ›

Clicking on a link from a spam text could take you to a fake website explicitly set up to steal your money or personal information. In some cases, the website could infect your phone with malware, which may spy on you and slow down your phone's performance by taking up space on your phone's memory.

What is the number 1 used password? ›

This is a list of the most common passwords, discovered in various data breaches.
National Cyber Security Centre.
16 more rows

Can 1 password get hacked? ›

1Password has never been hacked

We know how important your data is, and it's on us to make sure it stays completely safe from prying eyes.

What is the number 1 most used password? ›

The most popular password is "password," which was reportedly chosen by nearly 5 million users, while other commonly used passwords include "123456," "123456789," and "guest", according to the report.

Can someone hack my phone with my email address? ›

If you happen to use your name in your email address, your primary email address to sign up for iCloud/Google, and a weak password that incorporates personally identifiable information, it wouldn't be difficult for a hacker who can easily glean such information from social networks or search engines.

What information does a scammer need to access my bank account? ›

The easiest way to become a victim of a bank scam is to share your banking info — e.g., account numbers, PIN codes, social security number — with someone you don't know well and trust. If someone asks for sensitive banking details, proceed with caution.

What can a scammer do with my email and phone number? ›

Once they have your number, the bad guys can clean out your financial accounts, confiscate your email, delete your data and take over your social media profiles.

When did pwned become a thing? ›

Pwn's debut into the mainstream. Leetspeak and hacker jargon seeped into mainstream internet culture in the late 1990s and early 2000s.

Is Have I Been Pwned passwords safe? ›

It's safe. It doesn't rely on passwords - you put in your email address and it checks against a database of email addresses associated with known breaches. It doesn't actually reveal (or even search) passwords. So you're not putting a password into the search, you're putting an email address.

Can you Unhack your phone? ›

Use the phone's built-in antivirus to remove any offending apps. Some Android manufacturers pre-install security apps that will allow you to remove any hacking apps from your device without the need to install anything else.

Will resetting phone remove hackers? ›

Reset your phone

The majority of malware can be removed with a factory reset of your phone. This will, however, wipe any data stored on your device, such as photos, notes, and contacts, so it's important to back up this data before resetting your device. Follow the instructions below to reset your iPhone or Android.

What can a hacker see on your phone? ›

Hackers can use keyloggers and other tracking software to capture your phone's keystrokes and record what you type, such as search entries, login credentials, passwords, credit card details, and other sensitive information.

What is the most common way to get hacked? ›

Here are the most common ways that computers are hacked:
  • Phishing emails. Phishing emails are designed to get you to click a malicious link or divulge private information. ...
  • Spam emails. ...
  • Fake websites. ...
  • Through social media pages. ...
  • Advert hijacking. ...
  • Fake software. ...
  • Trojan horse malware.
23 Jun 2022

Can hackers see you? ›

On top of that, popular app developers aren't immune to accusations of watching you through your phone's camera. Generally, however, a stalker would need to install spyware on your device in order to compromise it. Hackers can gain access to your phone physically, through apps, media files, and even emojis.

What do hackers look for when they hack? ›

The goal might be financial gain, disrupting a competitor or enemy, or theft of valuable data or intellectual property. Their clients might be nation-states, companies interested in corporate espionage, or other criminal groups looking to resell what the hackers steal.

Can hackers recover deleted data? ›

Deleted files are at risk

Cybercriminals and hackers can gain access to personal information stored in your computer even after you think you've deleted the files. This includes everything from financial documents to scanned images. If you think those files are gone because they've been deleted, think again.

Is accidentally deleting data a breach? ›

Examples of personal data breaches include: Human error, for example an email attachment containing personal data being sent to the incorrect recipient or records being deleted accidentally.

What happens if hackers steal your data? ›

With stolen data criminals can target company personnel to give sensitive information or to trick them to make payments. Such phishing attacks targeted against a specific individual are called spear-phishing. Criminals can also try to gain access to company networks to spy on them and infect them with malware.

Is Have I Been Pwned legitimate? ›

Is "Have I Been Pwned?" legit? Yes, it is. To date, HIBP has been around for almost a decade, and through the years, it has only proven itself to be an essential tool for everyday internet users, governments, and organizations alike.

What does it mean if I am pwned? ›

The word "pwned" has origins in video game culture and is a leetspeak derivation of the word "owned", due to the proximity of the "o" and "p" keys. It's typically used to imply that someone has been controlled or compromised, for example "I was pwned in the Adobe data breach".

Can I tell if my email has been hacked? ›

How Do I Know if My Email Has Been Hacked? You can't sign into your email account. Hackers will often lock you out of your account as soon as they get access. If your normal email password isn't working, there's a good chance you've been hacked. There are strange messages in your “Sent” folder.

How did the Wattpad breach happen? ›

The Wattpad breach

On July 14, 2020, our research team discovered that a threat actor shared a compromised database allegedly originating from Wattpad. The leaked database included more than 270 million records with more than 268 million unique email address and password combinations.

How does a data breach affect me? ›

Breach impacts

Data breaches hurt both individuals and organizations by compromising sensitive information. For the individual who is a victim of stolen data, this can often lead to headaches: changing passwords frequently, enacting credit freezes or identity monitoring, and so on.


1. OSINT: Have U been pwned?
(David Bombal)
2. have i been pwned?
3. The FBI will feed hacked passwords directly into Have I Been Pwned
4. Tips and tricks if your accounts email username and passwords have been stolen
(Windows, computers and Technology)
5. Have I been pwned AMA
(Troy Hunt)
6. Checking if your account has been involved in a breach with HaveIBeenpwned.com
(Valiant Technology)
Top Articles
Latest Posts
Article information

Author: Prof. Nancy Dach

Last Updated: 02/02/2023

Views: 6274

Rating: 4.7 / 5 (57 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Prof. Nancy Dach

Birthday: 1993-08-23

Address: 569 Waelchi Ports, South Blainebury, LA 11589

Phone: +9958996486049

Job: Sales Manager

Hobby: Web surfing, Scuba diving, Mountaineering, Writing, Sailing, Dance, Blacksmithing

Introduction: My name is Prof. Nancy Dach, I am a lively, joyous, courageous, lovely, tender, charming, open person who loves writing and wants to share my knowledge and understanding with you.