Security Privacy Breach Detection

How to Check If Your Email Has Been Breached (2026 Guide)

11 min read dontpoke
How to Check If Your Email Has Been Breached (2026 Guide)

How to Check If Your Email Has Been Breached (2026 Guide)

Your email address is the key to your digital life. It’s tied to your bank accounts, social media profiles, shopping accounts, and work systems. When hackers steal databases from companies, your email—and often your password—ends up for sale on the dark web.

The good news: You can check if your email has been compromised in under 30 seconds.

The bad news: If you’ve had an account online for more than 5 years, there’s a 70% chance you’re in at least one breach database.

This guide shows you exactly how to check, what to do if you’ve been breached, and how to protect yourself going forward.

What is an Email Breach?

An email breach happens when hackers steal a company’s user database and leak it publicly (or sell it privately). These databases typically contain:

  • Email addresses
  • Passwords (sometimes hashed, sometimes plaintext)
  • Usernames
  • Personal information (names, addresses, phone numbers)
  • Security question answers
  • Payment card details (in some cases)

Famous examples:

  • Yahoo (2013): 3 billion accounts compromised
  • LinkedIn (2012): 165 million emails and passwords leaked
  • Adobe (2013): 153 million user records stolen
  • Facebook (2019): 533 million phone numbers and email addresses leaked

Once your email appears in a breach, it’s public forever. Hackers use these databases to:

  • Try your password on other sites (credential stuffing)
  • Send targeted phishing emails
  • Sell your data to spammers
  • Impersonate you in scams

How to Check If Your Email Has Been Breached

Method 1: Use dontpoke.me Breach Scanner (Free)

The fastest way to check is with a dedicated breach scanning tool.

Step 1: Go to dontpoke.me/tools/breach-scanner

Step 2: Enter your email address (no signup required)

Step 3: Click “Check Email”

Results in 2 seconds:

  • No breaches found: Your email is clean (for now)
  • ⚠️ Breaches found: Shows which databases contain your email, when they were leaked, and what data was exposed

Privacy note: We don’t store your email or search history. The check happens, we show results, and we forget you existed.

Free tier: 3 searches per day
Pro tier: Unlimited searches + automatic monitoring + alerts when new breaches appear

Method 2: Check Have I Been Pwned

Have I Been Pwned (HIBP) is the gold standard breach database, maintained by security researcher Troy Hunt.

How to use it:

  1. Go to haveibeenpwned.com
  2. Enter your email
  3. Click “pwned?”
  4. Review results

What you’ll see:

  • List of breaches your email appears in
  • Date of each breach
  • What data was compromised

Limitation: HIBP doesn’t monitor your email automatically on the free tier. You have to manually check.

Method 3: Check Individual Services

Some services offer their own breach notification tools:

Google: passwords.google.com/checkup
Shows if any saved passwords were found in breaches

Firefox Monitor: monitor.firefox.com
Free email breach monitoring

Apple: Settings → Passwords → Security Recommendations
Shows compromised passwords on iOS/macOS

Limitation: These only work if you use their password manager.

What to Do If Your Email Has Been Breached

Found yourself in a breach? Don’t panic. Here’s your action plan:

Immediate Actions (Do This Today)

1. Change Your Password Everywhere

The breach database includes your password. Assume it’s compromised.

Priority 1 (change immediately):

  • Banking and financial accounts
  • Email accounts (Gmail, Outlook, etc.)
  • Work accounts
  • Social media (especially if linked to other accounts)

Priority 2 (change within 24 hours):

  • Shopping accounts (Amazon, eBay, etc.)
  • Subscription services (Netflix, Spotify, etc.)
  • Any account with payment information

How to create a strong password:

  • Minimum 12 characters (longer is better)
  • Use a passphrase: correct-horse-battery-staple
  • Never reuse passwords across sites
  • Use a password manager (Bitwarden, 1Password, KeePass)

Using a password manager to create unique passwords

DON’T do this:

  • P@ssw0rd123 (common pattern, easily cracked)
  • ❌ Reusing the same password with slight variations
  • ❌ Using personal information (birthdays, pet names, etc.)

2. Enable Two-Factor Authentication (2FA)

2FA adds a second security layer beyond your password.

Best 2FA methods (in order of security):

  1. Hardware keys (YubiKey, Google Titan) - best security
  2. Authenticator apps (Google Authenticator, Authy) - good balance
  3. SMS codes (better than nothing, but vulnerable to SIM swapping)

Enable 2FA on (minimum):

  • Email accounts
  • Banking
  • Social media
  • Work accounts
  • Any account with payment information

Setting up two-factor authentication for email security

How to enable:

  • Google: myaccount.google.com/security
  • Facebook: Settings → Security → Two-Factor Authentication
  • GitHub: Settings → Password and authentication
  • Most sites: Settings → Security → Two-Factor Authentication

3. Check Your Accounts for Suspicious Activity

Hackers may have already accessed your accounts.

What to look for:

  • Unrecognized logins (check login history)
  • Password reset emails you didn’t request
  • Purchases you didn’t make
  • Messages sent from your account you didn’t write
  • New email filters or forwarding rules (common in email compromises)

Where to check:

  • Gmail: Click your profile → Manage your Google Account → Security → Your devices → Manage devices
  • Facebook: Settings → Security and login → Where you’re logged in
  • Amazon: Account → Login & security → Devices and activity

If you find suspicious activity:

  1. Log out all devices
  2. Change password immediately
  3. Review recent transactions
  4. Contact the service’s support team
  5. File a fraud report if money was stolen

4. Monitor Your Credit Reports

If the breach included personal information (SSN, address, DOB), identity theft is a risk.

Free credit monitoring:

  • AnnualCreditReport.com (official free source)
  • Check all 3 bureaus: Equifax, Experian, TransUnion
  • You’re entitled to 1 free report per bureau per year

What to look for:

  • Accounts you didn’t open
  • Hard inquiries you didn’t authorize
  • Address changes you didn’t make

If you find fraud:

  1. Place a fraud alert (free, lasts 1 year)
  2. Freeze your credit (free, blocks new accounts)
  3. Dispute fraudulent accounts with credit bureaus
  4. File FTC identity theft report: identitytheft.gov

Long-Term Protection

1. Use a Password Manager

Stop reusing passwords. A password manager generates and stores unique passwords for every site.

Recommended options:

  • Bitwarden (free, open source)
  • 1Password (paid, excellent UX)
  • KeePass (free, offline)

How it works:

  • You remember 1 master password
  • The manager generates random passwords for every site
  • It auto-fills login forms
  • If one site gets breached, only that password is compromised

2. Set Up Breach Monitoring

Don’t wait to find out you’ve been breached.

Free options:

  • Firefox Monitor (email alerts)
  • Google Password Checkup (if you use Chrome)

Paid options (automatic monitoring + faster alerts):

  • dontpoke.me Pro ($12/month) - unlimited checks + instant alerts
  • HIBP Domain Search (for businesses)

What monitoring does:

  • Checks your email against new breach databases daily
  • Alerts you within 24 hours of a new breach
  • Tells you exactly what data was exposed
  • Reminds you to change passwords

3. Use Unique Email Aliases

Make breaches easier to track by using different email addresses for different services.

Methods:

Gmail Plus Addressing:

Email Aliasing Services:

  • SimpleLogin (free tier available)
  • AnonAddy (free tier available)
  • Firefox Relay (free, limited aliases)

How it works:

  • Service generates random aliases (e.g., [email protected])
  • Emails forward to your real address
  • If an alias gets compromised, delete it without changing your real email

4. Be Skeptical of Emails

Hackers use breach data to send convincing phishing emails.

Red flags:

  • Urgent language (“Your account will be closed!”)
  • Requests for passwords or personal information
  • Suspicious sender addresses (check carefully - paypa1.com vs paypal.com)
  • Generic greetings (“Dear customer” instead of your name)
  • Unexpected attachments or links

When in doubt:

  • Don’t click links in emails
  • Go directly to the website (type the URL yourself)
  • Call the company using a number from their official website
  • Check the sender’s email address carefully

How Often Should You Check?

Minimum: Once every 3 months

Better: Once per month

Best: Set up automatic monitoring (Pro tier on dontpoke.me or Firefox Monitor)

Why regular checks matter: New breaches are discovered every week. A breach from 2015 might only surface publicly in 2026. The sooner you know, the sooner you can protect yourself.

What If I Have Multiple Email Addresses?

Check all of them:

  • Personal email
  • Work email
  • Old emails you don’t use anymore
  • Throwaway emails for signups

Old emails are especially risky because:

  • You’re not monitoring them
  • Password resets can be sent there
  • Hackers can take over the account and use it to reset passwords elsewhere

If you find an old email in a breach:

  1. Log into that account (if you still can)
  2. Change the password
  3. Check what services are linked to it
  4. Update those services to use your current email
  5. Enable 2FA
  6. Consider closing the old account

Common Questions

“If I’m in a breach, can I get my data removed?”

No. Once a database is leaked, it’s public forever. It gets copied across thousands of hacker forums and paste sites.

What you can do:

  • Change your passwords (makes the leaked password useless)
  • Enable 2FA (even if they have your password, they can’t get in)
  • Monitor for suspicious activity

“Should I create a new email address?”

Probably not. Changing your email is a huge hassle (updating hundreds of accounts).

Better approach:

  • Keep your current email
  • Change all passwords to unique values
  • Enable 2FA everywhere
  • Set up breach monitoring

When to get a new email:

  • Your email is actively being used for spam/phishing
  • You can’t secure your current email (forgot password, lost access, etc.)
  • You want to separate personal and work identities

“What about phone number breaches?”

Phone numbers appear in breaches too (especially Facebook’s 2019 leak).

Risks:

  • SIM swapping attacks (hijacking your phone number)
  • Targeted phishing via SMS
  • Spam calls

Protection:

  • Enable PIN protection with your carrier (prevents unauthorized SIM swaps)
  • Don’t use SMS for 2FA if you can avoid it (use authenticator apps instead)
  • Be skeptical of unexpected texts

“Can I sue the company that got breached?”

Maybe. Some breach victims have successfully sued in class action lawsuits.

Reality:

  • Most settlements pay $1-50 per person
  • You need to prove actual damages
  • It takes years
  • Companies often have liability protections in their Terms of Service

Better use of time: Secure your accounts and move on.

Breach Statistics (2026)

  • 12 billion+ account credentials available in breach databases
  • 70% of people reuse passwords across multiple sites
  • Over 3,000 data breaches reported in 2025 alone
  • Average time to detect a breach: 207 days (you’re compromised for months before anyone notices)

Translation: If you have accounts online, you’re probably in a breach database. The question is whether you know about it yet.

Tools for Checking Email Breaches

Tool Free Tier Monitoring Speed Privacy
dontpoke.me 3/day ✅ Pro tier <2 sec ✅ No logs
Have I Been Pwned Unlimited ❌ (paid) ~5 sec ✅ Trusted
Firefox Monitor Unlimited ✅ Free ~10 sec ✅ Mozilla
Google Password Checkup Unlimited ✅ Free Instant ⚠️ Google account required

Next Steps

Right now (5 minutes):

  1. Check your email at dontpoke.me/tools/breach-scanner
  2. Change passwords for any breached accounts
  3. Enable 2FA on critical accounts (email, banking, social media)

This week:

  1. Set up a password manager
  2. Check your credit reports
  3. Set up breach monitoring

This month:

  1. Review all your accounts and update weak passwords
  2. Enable 2FA everywhere it’s offered
  3. Consider email aliasing for new signups

Staying safe isn’t about being paranoid. It’s about being informed and taking basic precautions.

Additional Resources

About dontpoke.me: We’re a privacy-focused OSINT toolkit for security researchers. Our breach scanner checks 12 billion+ compromised accounts with zero tracking and zero data retention. Try it free →

Last updated: February 22, 2026