Data Breach Checker
Check if your password has appeared in known data breaches using k-anonymity.
Privacy Protected (k-Anonymity)
Only the first 5 characters of your password's SHA-1 hash are ever sent. Your actual password and full hash stay in your browser.
How to use Data Breach Checker
Enter your password in the input field
Locate the text box labeled 'Enter Password to Check' on the main page. Click inside the field and type your password. The field accepts up to 128 characters. Do not paste or share your actual passwords with anyone else.
Click the 'Check Password' button
After entering your password, locate the blue 'Check Password' button directly below the input field. Click it once. The tool will begin processing your request immediately without storing any data.
Review your breach status results
Within 2-3 seconds, results will display below the button. A green checkmark with 'Safe' means your password was not found in known breaches. A red warning with 'Compromised' means change your password immediately on affected accounts.
Check additional breaches if needed
To check another password, clear the input field using the 'X' icon or select all text and delete it. Enter your next password and click 'Check Password' again. You can perform unlimited checks without registration.
Related Tools
Data breach checker: see if your email was exposed without risking your privacy
Data breach checker: see if your email was exposed without risking your privacy
Have you ever wondered whether your email address was part of a data breach? Use the data breach checker on ToolHQ to check your email against known breach databases without sending your full email address anywhere.
Data breaches happen constantly. Websites, apps, and services you signed up for years ago may have been hacked, and your credentials may be sitting in attacker databases or publicly leaked files. Checking lets you know if you need to change passwords on any accounts.
Only a partial hash of your email is queried. Your full email address is never transmitted.
Key Takeaways
- Check whether your email appears in known data breach databases
- Privacy-protected: only the first 5 characters of your email's SHA-1 hash are sent, never your full email
- Breach data comes from haveibeenpwned.com, the largest public breach database with 17B+ accounts
- If you find a breach, change the password on that service and any others where you reused it
- No account or sign-up required
How the breach check works without exposing your email
Most people assume that checking whether their email was breached requires sending their email to a third-party server. ToolHQ's data breach checker uses a cryptographic technique called k-anonymity to check breach databases without ever transmitting your full email address.
Here is how it works:
- Your email is hashed locally. When you enter your email, it is converted into a SHA-1 hash, a fixed-length string of characters that represents the email mathematically. For example,
user@example.combecomes a 40-character hash. - Only the first 5 characters of that hash are sent. The tool sends just the first 5 characters of your hash to the breach database API. These 5 characters match thousands of different email addresses, so the API cannot determine which specific email you are checking.
- The API returns a list of matching hashes. The server responds with all hashes that start with those 5 characters, none of which are full email addresses.
- Your browser checks locally. Your device compares your full hash against the returned list to see if your email appears. No full email or full hash ever leaves your device.
This approach was developed for the Have I Been Pwned API, which uses this k-anonymity model to let anyone check breach exposure without ever sending an identifiable email address to the server.
According to Wikipedia's data breach article, a data breach is the unauthorized access and retrieval of sensitive information by an individual, group, or software system. Breaches typically expose names, email addresses, passwords (often hashed), phone numbers, and sometimes payment information or ID numbers.
What happens in a data breach
Understanding what gets exposed helps you know how serious a breach is and what action to take.
Common data types exposed in breaches
| Data type | How it's stored (best case) | Risk if leaked |
|---|---|---|
| Email addresses | Plain text | Phishing, spam, targeted attacks |
| Passwords | Bcrypt/scrypt hash (good) or MD5/plain (bad) | Account takeover if weak or reused |
| Phone numbers | Plain text | SIM swapping, SMS phishing |
| Names and addresses | Plain text | Identity fraud |
| Credit card numbers | Should be tokenized | Financial fraud |
| Security questions | Often plain text | Account recovery attacks |
When a service stores passwords in bcrypt or scrypt hashes, cracking individual passwords is computationally expensive. When passwords are stored in MD5 hashes or plain text, they can be cracked or used directly within hours of a breach. If a site you used had poor password storage, assume your password was compromised regardless of how strong it was.
Why checking your breach exposure matters
Password reuse is the biggest risk. If you used the same password on a breached site as on your email, bank, or work accounts, attackers can log into those accounts directly. This is called credential stuffing and it is the leading cause of account takeovers. Checking breach exposure is the first step toward identifying which accounts need new passwords.
Old accounts you forgot about. You may have signed up for services years ago that have since been breached, services you no longer actively use but whose email-password combination is now public. Those credentials may still work on other sites where you reused the password.
Business security audits. Security teams routinely check employee email addresses against breach databases to find which accounts may have been compromised through third-party breaches, which is a common initial access vector for attackers.
Peace of mind with new context. Knowing which specific breaches your email appeared in tells you which service was compromised, approximately when, and what data type was exposed. That context helps you prioritize which accounts need immediate attention.
Take Sophie, who used the same password on dozens of services for several years, something she was aware was a bad habit but kept meaning to fix. She ran her email through the data breach checker and found it appeared in 11 breaches from six different services over the past decade, including a 2019 breach from a travel booking site that exposed passwords in a weakly hashed format. She had not used that site in years but still used the same password on three other accounts. She changed all three immediately and started using a password manager. The breach checker turned an abstract concern into a specific, actionable list.
Check your email for breaches now
How to use the ToolHQ data breach checker
Checking takes under 30 seconds.
- Enter your email address. Type or paste the email you want to check into the field.
- Submit. The tool hashes your email locally and queries the breach database using only the first 5 characters of the hash.
- Review results. If your email appears in breach data, you will see a list of breaches, including the service name, breach date, and what data types were exposed.
- Take action. See the action checklist below for what to do if you find a breach.
Only a partial hash of your email is queried. Your full email address is never transmitted. No account is needed.
For related tools, the password generator creates strong replacement passwords. The password strength checker evaluates how resistant your new passwords are to cracking. The hash generator lets you explore SHA-1 and other hashing functions directly.
What to do if your email appears in a breach
Finding your email in a breach database is not a crisis, but it does require action. Here is a practical checklist.
Immediately:
- Change the password on the breached service, even if you no longer use it
- Change the password on any other service where you used the same or similar password
- Check your email account for suspicious login activity
If the breach exposed passwords:
- Assume the password is compromised, regardless of how it was stored
- Audit every account that shared that password and update all of them
- Enable two-factor authentication (2FA) on your most important accounts: email, banking, work
If the breach exposed payment information:
- Check recent transactions on linked cards
- Consider requesting a new card number from your bank
Going forward:
- Use a password manager to generate and store unique passwords for every site
- Enable 2FA on all accounts that support it, prioritizing email and financial accounts
- Run a breach check periodically, not just once
Marcus was a freelance developer who ran a security workshop for a small nonprofit. Before the workshop, he asked 12 participants to check their personal email addresses in the data breach checker. Ten of the twelve found at least one breach. Four found five or more. Several were surprised to see services they had forgotten using years ago. The exercise turned an abstract security lecture into immediate, personal action: every participant changed at least one password before the workshop ended.
Frequently asked questions
Is it safe to enter my email into a breach checker?
Yes, when the tool uses k-anonymity. ToolHQ's breach checker never sends your full email address. It sends only the first 5 characters of your email's SHA-1 hash, which cannot be reversed to identify your email.
Where does the breach data come from?
The breach database is powered by Have I Been Pwned (HIBP), the largest publicly available breach database, which tracks 17 billion+ compromised accounts across 1,000+ known breaches and data exposures.
What does it mean if my email appears in a breach?
It means your email address was included in data that was stolen or leaked from a specific service. Depending on what was exposed (password, phone number, name), you may need to change your password, monitor your accounts, or update personal information.
Can I check someone else's email?
You can only effectively act on results for your own email. Checking another person's email without their permission may be inappropriate depending on context.
What if I use multiple email addresses?
Check each one separately. Different email addresses may appear in different breaches depending on which services you signed up for with each one.
The short version
Data breaches are inevitable, but their impact depends on what you do next. The ToolHQ data breach checker tells you whether your email has been exposed, which services were breached, and what data types were compromised, using a k-anonymity model that never sends your full email address anywhere.
Check your email, review the results, and update any passwords that were exposed.
Check your email for breaches now
If you find breaches, the password generator creates strong replacements immediately. The password strength checker helps you verify they are hard to crack.