# Is Have I Been Pwned safe to use?

> Have I Been Pwned is safe to use: it never logs your searches, and the password checker uses k-anonymity so your password never leaves your device.

Yes, Have I Been Pwned (HIBP) is safe to use. Checking an email address only searches an index of already-public breach data — it does not add you to any list, and [the site's FAQ states that "nothing is explicitly logged by the website"](https://haveibeenpwned.com/FAQs). The password checker goes further: it uses a privacy technique called k-anonymity so your actual password never leaves your browser.

The service was created by security researcher Troy Hunt in December 2013 after the Adobe breach exposed 153 million accounts, and it has become the reference tool the security industry uses to answer one question: has this address or password already turned up in a known data breach?

## Quick Takeaways

- Have I Been Pwned is a free service that checks an email address or password against billions of accounts exposed in known [data breaches](/learning/darkwebactivityimpact).
- Searching your email does not expose you further — the data is already public, and the site says it does not log searches.
- The password checker never sends your password: it hashes it locally and transmits only the first five characters of that hash (k-anonymity).
- All lookups run over an encrypted HTTPS connection, so nobody watching the network sees what you searched for.
- Sensitive breaches and full domain-wide results are hidden until you verify you own the address or domain.
- A hit means your credentials are circulating; the fix is to change the password, enable MFA, and watch for [phishing](/learning/what-is-phishing) that reuses the leaked data.

## What is Have I Been Pwned?

Have I Been Pwned is a search engine for stolen data. When a company suffers a breach and the stolen records leak, Hunt collects the exposed email addresses (and sometimes other fields) and loads them into a searchable index. You type in your address, and HIBP tells you which breaches it appeared in and what data each one exposed — passwords, phone numbers, dates of birth, and so on.

The important thing to understand is that HIBP is a *mirror* of data that is already loose on the internet. It does not hack anyone or scrape private systems. Everything in the index came from a breach that already happened, and the raw data is typically already being traded on criminal forums and the [dark web](/learning/darkwebactivityimpact) before HIBP ever indexes it. Looking yourself up is strictly a read: it tells you what attackers may already know.

## Is it safe to enter your email address?

Yes. Entering your email to run a breach check is safe for three concrete reasons:

- **You are not revealing anything new.** If your address is in the index, it is because a breach already exposed it. Searching does not leak it to anyone; the data escaped long before you looked.
- **Searches are not stored.** Per the site's FAQ, ordinary searches are not logged, and every lookup travels over an encrypted connection, so an eavesdropper on the network cannot see what you typed.
- **The notify feature is opt-in and minimal.** If you subscribe to breach alerts, the service stores only your email address, the subscription date, and a verification token — not a profile of you.

There is one sensible caution: only use the real site at `haveibeenpwned.com`. Attackers set up lookalike "breach checker" pages to harvest addresses and push scareware, which is the same trick behind many [fake-email scams](/learning/how-can-you-spot-fake-emails-and-protect-yourself-from-scams). Type the domain yourself rather than clicking a link from an email.

## How does the Pwned Passwords check keep your password private?

This is the part people worry about most, and it is the part HIBP engineered most carefully. When you check a password, the tool **never sends the password itself** and never sends the full hash of it. Instead it uses a model called *k-anonymity*, built for HIBP by Junade Ali in 2018 and now used by password managers and browser breach checkers alike. The flow works like this:

- Your browser hashes the password locally with SHA-1.
- It sends only the **first five characters** of that hash to the API — nothing more.
- The service returns every leaked-hash suffix that starts with those five characters (often hundreds of them).
- Your browser compares the rest of your hash against that list *on your device* to see whether it matches.

Because the server only ever sees a five-character prefix shared by thousands of different passwords, it cannot tell which password — or even which of the returned hashes — you were checking. The response is padded so its size doesn't give the answer away either. [Cloudflare, which powers the range API, documented the design in detail](https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/). It is the same privacy-preserving approach that lets [IT teams check for credential exposure](/learning/how-can-it-teams-prevent-credential-theft) without ever transmitting a live password.

## How does Have I Been Pwned get its breach data?

HIBP loads data from breaches that have already been made public or shared with Hunt by researchers and, in some cases, the breached organisations themselves. Each breach entry lists the date, the number of accounts, and exactly which data classes were exposed, so you can judge the real risk rather than guess.

Two categories get extra handling for privacy:

- **Sensitive breaches** — from sites where mere membership is damaging — are not publicly searchable. You can only see them after signing in and verifying that you own the address.
- **Domain-wide search**, which lists every breached address under a domain you control, requires you to prove you own that domain first. This is the feature MSPs use to check a whole client tenant at once, and it is why simply owning a domain isn't enough to peek at someone else's.

## What should you do if your email shows up in a breach?

A hit is common and not a cause for panic, but it does call for action:

- **Change the password on the breached site**, and change it anywhere you reused it. Reuse is what turns one breach into an account-takeover spree.
- **Turn on multi-factor authentication** so a leaked password alone can't unlock the account.
- **Expect targeted phishing.** Leaked details make convincing lures, so stay alert for messages that reference real data about you — a hallmark of [spear phishing](/learning/what-is-spear-phishing) and [email spoofing](/learning/what-is-email-spoofing-and-how-can-you-prevent-it).
- **For a business domain**, treat a breach as a signal to audit exposure. When employee addresses leak, attackers try to impersonate your domain next.

That last point is where Palisade fits. HIBP tells you *which* addresses have been exposed; Palisade automates [DMARC](/learning/what-is-dmarc) enforcement so those exposed addresses can't be trivially spoofed to attack your staff and customers. Run your domain through the free [Email Security Score](/tools/email-security-score) to see whether an attacker could impersonate you today — the natural next step after a breach check tells you the credentials are already out there.

## Frequently asked questions

### Is Have I Been Pwned free?

Yes. Checking an email address or password is free for anyone, and breach notifications are free to subscribe to. There is a paid API tier for automated, high-volume lookups, but the manual web search most people use costs nothing.

### Can Have I Been Pwned steal my password?

No. The password checker is designed so the password never reaches the server — only the first five characters of its SHA-1 hash are sent, and the match happens in your browser. Even a fully compromised server would only see a hash prefix shared by thousands of unrelated passwords.

### Does searching add me to a spam or marketing list?

No. A search is a one-off lookup that isn't logged, and you are only ever emailed if you explicitly subscribe to breach notifications, which stores just your address and a verification token.

### What does "pwned" actually mean?

"Pwned" is internet slang for "owned" — compromised or taken over. In HIBP's context it means your account details appeared in a known data breach, so a criminal may already hold them.

## Related reading

- [How can MSPs secure clients after a 10-billion-password breach?](/learning/how-can-msps-secure-clients-after-10b-password-breach)
- [How does dark web activity threaten organizations?](/learning/darkwebactivityimpact)
- [How can IT teams prevent credential theft?](/learning/how-can-it-teams-prevent-credential-theft)
