I check HaveIBeenPwned every month, and I have found my own email address in seven separate breach databases over the years. My phone number showed up in the Facebook leak. An old password from 2018 was circulating on a dark web paste site. If you have been online for more than a few years, some of your data is out there too – the only question is how much and what you do about it.
This guide walks you through exactly how to check, what each type of breach means, and the step-by-step recovery plan I follow every time I find something new.
For broader protection strategies, see our Best Identity Theft Protection 2026 guide. And if you want to lock down the passwords that breaches most commonly expose, our Best Password Managers 2026 roundup will help you choose the right tool.
Step 1: Check Your Email on HaveIBeenPwned
The first and easiest step is to visit HaveIBeenPwned.com (HIBP), created by security researcher Troy Hunt. HIBP maintains a database of over 14 billion breached accounts collected from publicly disclosed data breaches, making it the most comprehensive free breach-checking tool available.
How to use it
- Go to haveibeenpwned.com
- Enter your email address in the search box
- Click “pwned?” to check
Within seconds, HIBP will tell you whether your email address appears in any known data breaches. If it does, you will see a list of breaches that included your email, along with details about what data was exposed in each incident (passwords, phone numbers, physical addresses, etc.).
Check all your email addresses
Most people have multiple email addresses: a primary personal email, a work email, an older email they used years ago, and possibly addresses from providers like Yahoo or Hotmail that have suffered massive breaches. Check every email address you have ever used. Older addresses that you no longer monitor are often the most vulnerable because breached credentials from those accounts may still unlock other services where you reused the same password.
Check your passwords too
HIBP also offers a Passwords search that lets you check whether a specific password has appeared in any known breach. This check uses a k-anonymity model, meaning your full password is never transmitted to the server. Only a partial hash is sent, and the comparison happens locally. If any of your current passwords appear in this database, change them immediately, they are actively being used in credential-stuffing attacks.
Step 2: Use a Dedicated Breach Monitoring Service
HaveIBeenPwned is excellent for manual spot checks, but it has limitations. It only indexes publicly disclosed breaches, it requires you to check manually, and it only searches by email address or password. Dedicated breach monitoring services go further by continuously scanning dark web forums, paste sites, and private marketplaces for a broader range of your personal information.
NordPass Breach Scanner
NordPass, the password manager from the team behind NordVPN, includes a Data Breach Scanner that checks your stored email addresses and passwords against known breach databases. It integrates directly with your password vault, so you can see at a glance which of your saved credentials have been compromised and need to be changed.
What makes the NordPass approach particularly useful is its integration with your existing password workflow. When a breach is detected, you can update the affected password directly within NordPass and generate a strong replacement in the same action. There is no separate app to check and no manual process to follow.
NordPass also provides a Password Health dashboard that identifies weak passwords, reused passwords, and old passwords across all your accounts. Combined with breach monitoring, this gives you a comprehensive view of your credential security posture. For more on creating truly secure passwords, see our guide on how to create strong passwords.
Check Your Breach Status with NordPass
Surfshark Alert
Surfshark Alert, included in the Surfshark One bundle, provides continuous dark web monitoring for your email addresses, passwords, credit card numbers, and in certain regions, Social Security numbers. When new breach data appears on dark web marketplaces that includes your information, Surfshark Alert sends you a real-time notification.
The service monitors both indexed breaches (similar to HIBP) and private dark web sources that are not accessible to free tools. In my testing, Surfshark Alert detected breach exposures from two private datasets that did not appear in HaveIBeenPwned, demonstrating the value of monitoring beyond public breach databases.
The Surfshark One bundle includes Alert alongside Surfshark VPN, Surfshark Antivirus, and Surfshark Search for $3.49 per month (billed annually), making it one of the most cost-effective ways to get breach monitoring along with VPN and antivirus protection. Read our Surfshark Review 2026 for a detailed look at the full bundle.
Get Surfshark Alert and Dark Web Monitoring
Bitdefender Digital Identity Protection
Bitdefender Digital Identity Protection takes a broader approach than most breach monitoring tools. Rather than only checking email addresses and passwords, it builds a comprehensive map of your digital footprint, including social media accounts, public records, data broker listings, and dark web exposures.
The service continuously scans for:
- Breached credentials: Email addresses, passwords, and usernames found in data breaches
- Dark web mentions: Your personal information appearing on dark web forums and marketplaces
- Social media exposure: Publicly visible personal information on your social media profiles that could be used for social engineering
- Data broker listings: Your information appearing in commercial data broker databases that sell personal data
When an issue is found, Bitdefender provides specific remediation steps tailored to the type of exposure. If a data broker is selling your information, it guides you through the removal request process. If a social media profile is oversharing, it tells you exactly which settings to change.
For a full analysis of Bitdefender’s security ecosystem, see our Bitdefender Review 2026.
Get Bitdefender Digital Identity Protection
Step 3: Understand What Was Exposed
Not all data breaches are equal. The severity of a breach depends on what types of data were exposed. Here is a breakdown of common breach data types and what each means for your security.
Email address only
Risk level: Low to moderate. Your email address will be used for spam and phishing campaigns. Expect an increase in unsolicited emails, some of which will attempt to steal your credentials through convincing fake login pages. The primary defense is vigilance and good phishing awareness. For detailed phishing prevention strategies, see our guide on how to protect yourself from phishing.
Email address and password
Risk level: High. This is the most common and most dangerous breach type. Attackers will use your email and password combination in credential-stuffing attacks, automatically trying the same credentials on hundreds of popular services including banking, email, shopping, and social media. If you reused the same password on multiple sites, all of those accounts are now compromised. This is the single strongest argument for using unique passwords on every account and a password manager to keep track of them.
Phone number
Risk level: Moderate to high. Your phone number will be used for SMS phishing (smishing), SIM swapping attacks, and robocall scams. In a SIM swap attack, a criminal convinces your mobile carrier to transfer your phone number to their SIM card, allowing them to intercept SMS-based two-factor authentication codes. This is why security experts now recommend authenticator apps over SMS for 2FA.
Financial information (credit card numbers, bank account details)
Risk level: Very high. Contact your bank and card issuer immediately. Request new card numbers and monitor your statements daily for unauthorized charges. Place a fraud alert on your credit report with all three bureaus (Equifax, Experian, and TransUnion). Consider a credit freeze, which prevents new accounts from being opened in your name entirely.
Social Security number or government ID
Risk level: Critical. This is the worst-case scenario. Your SSN or government ID can be used for identity theft, including opening credit accounts, filing fraudulent tax returns, and obtaining employment or government benefits in your name. Take immediate action: freeze your credit with all three bureaus, file an identity theft report with the FTC at IdentityTheft.gov, and consider enrolling in an identity theft protection service. Our Best Identity Theft Protection 2026 guide covers the leading services.
Medical information
Risk level: High. Medical identity theft can result in fraudulent insurance claims, incorrect entries in your medical records (potentially dangerous if they affect treatment decisions), and targeted scams. Contact your health insurance provider and request a copy of your medical records to check for unauthorized entries.
Step 4: Immediate Actions After Discovering a Breach
Here is your step-by-step recovery plan. Follow these actions in order, starting with the most critical.
1. Change compromised passwords immediately
If a breach exposed your password, change it on the affected service right now. Do not reuse the old password or any variation of it. Generate a new, unique password of at least 16 characters using a password manager. If you used that same password on other services (and this is exactly why you should never reuse passwords), change it on those services too.
A password manager like NordPass makes this process manageable. It identifies every account that shares a compromised password and lets you update each one with a strong, unique replacement.
2. Enable two-factor authentication (2FA)
Turn on 2FA for every account that supports it, prioritizing email, banking, and social media. Use an authenticator app (such as Google Authenticator, Authy, or the authenticator built into your password manager) rather than SMS-based codes. SMS 2FA is better than no 2FA, but it is vulnerable to SIM swapping attacks.
3. Check for unauthorized account access
Review the login activity for your critical accounts. Most services (Gmail, Facebook, Microsoft, Apple, Amazon) provide a page showing recent sign-ins, including locations and devices. If you see any sign-ins you do not recognize, revoke them immediately and change your password if you have not already.
4. Freeze your credit (if financial data or SSN was exposed)
Contact all three major credit bureaus to place a credit freeze:
- Equifax: equifax.com/personal/credit-report-services/credit-freeze
- Experian: experian.com/freeze/center.html
- TransUnion: transunion.com/credit-freeze
A credit freeze prevents anyone from opening new credit accounts in your name. It is free, it does not affect your credit score, and you can temporarily lift it when you need to apply for credit yourself. This is the single most effective action you can take to prevent identity theft after a breach involving financial data or your Social Security number.
5. Set up ongoing monitoring
Sign up for a breach monitoring service (NordPass, Surfshark Alert, or Bitdefender Digital Identity Protection) so you are alerted in real time if your data appears in future breaches. Waiting until you hear about a breach in the news means you are reacting days or weeks after attackers have already begun exploiting the stolen data.
6. File an identity theft report (if necessary)
If you have evidence that your identity has been misused, file a report at IdentityTheft.gov. This creates an official record and provides a personalized recovery plan. If financial fraud has occurred, also file a police report with your local law enforcement agency.
Step 5: Prevent Future Breaches from Hurting You
You cannot prevent companies from being breached. What you can do is structure your digital life so that any single breach causes minimal damage. Here is how.
Use unique passwords everywhere
This is the most important rule in personal cybersecurity. If every account has a unique password, a breach of one service cannot be used to access any other. A password manager makes this effortless. Our Best Password Managers 2026 guide and our comparison of 1Password vs Bitwarden will help you pick the right one.
Minimize the data you share
Every piece of personal information you provide to a service is data that can be leaked. Use a secondary email for non-essential accounts. Avoid providing your phone number, address, or date of birth unless it is strictly required. The less data a company holds on you, the less damage a breach can cause.
Use a VPN on public networks
Public Wi-Fi is a common vector for credential interception. A VPN encrypts your traffic and prevents network-level eavesdropping. For our current top picks, see Best VPN Services 2026.
Get NordVPN for Secure Browsing
Regularly audit your accounts
At least once per quarter, review which services have your personal data. Delete accounts you no longer use. Many breaches involve dormant accounts on services you forgot you signed up for years ago. The fewer active accounts you have, the smaller your attack surface.
Keep your devices secure
Make sure your computer and phone are running antivirus software with real-time protection. Malware like keyloggers and info-stealers can capture your credentials as you type them, bypassing even the strongest passwords. See our Best Antivirus Software 2026 guide for recommendations.
Stay informed
Follow breach notification sources like HaveIBeenPwned’s notification service (free email alerts when your address appears in a new breach) and reputable cybersecurity news outlets. The sooner you learn about a breach, the sooner you can act.
How Dark Web Monitoring Works
When a company is breached, stolen data typically follows a predictable path:
- Initial breach: Attackers gain unauthorized access to a company’s database
- Private trading: The data is sold or shared privately among criminal groups, often before the breach is publicly disclosed
- Dark web marketplace listing: The data appears for sale on dark web marketplaces, typically within days to weeks
- Wide distribution: As the data is resold and reshared, it spreads across multiple forums, paste sites, and Telegram channels
- Credential stuffing: Automated tools use the stolen email and password pairs to attempt logins across thousands of websites
Dark web monitoring services like Surfshark Alert and Bitdefender Digital Identity Protection use a combination of automated crawlers and human intelligence analysts to monitor dark web forums, marketplaces, and private channels for your personal information. When a match is found, you receive an alert with details about what was exposed and recommended actions.
The key advantage of paid dark web monitoring over free tools like HIBP is timing and scope. Paid services often detect exposures during the “private trading” phase (step 2), before the breach is publicly disclosed. They also monitor for data types beyond email and passwords, including phone numbers, financial information, and government IDs.
Breach Monitoring Tools Compared
| Feature | HaveIBeenPwned (Free) | NordPass Breach Scanner | Surfshark Alert | Bitdefender Digital Identity |
|---|---|---|---|---|
| Email breach check | Yes | Yes | Yes | Yes |
| Password breach check | Yes | Yes | Yes | Yes |
| Dark web monitoring | No | Limited | Yes | Yes |
| Phone number monitoring | No | No | Yes | Yes |
| Credit card monitoring | No | No | Yes | No |
| SSN monitoring | No | No | Regional | No |
| Social media exposure | No | No | No | Yes |
| Data broker scanning | No | No | No | Yes |
| Real-time alerts | Email only | In-app | In-app + email | In-app + email |
| Continuous monitoring | No (manual) | Yes | Yes | Yes |
| Price | Free | Included with NordPass ($1.99/mo) | Included with Surfshark One ($3.49/mo) | $6.99/mo standalone |
For most users, I recommend starting with a free HaveIBeenPwned check and then signing up for a paid monitoring service for ongoing protection. If you already use NordPass as your password manager, its built-in breach scanner is the most convenient option. If you want the broadest monitoring coverage, Bitdefender Digital Identity Protection scans the widest range of data types.
What Not to Do After a Data Breach
Panic and misinformation lead to bad decisions. Here is what you should avoid.
Do not click links in breach notification emails. Ironically, phishing campaigns often disguise themselves as breach notification emails. If you receive an email claiming your data was breached, do not click any links in it. Instead, go directly to the service’s website by typing the URL in your browser and check your account settings or the company’s security blog for official breach disclosures.
Do not pay ransom or respond to extortion. Extortion emails that reference your leaked password are common and almost always automated. The attacker typically has nothing beyond publicly available breach data and is hoping you will panic and pay. Do not engage. Change the referenced password, enable 2FA, and report the email as spam.
Do not close the breached account before securing others. If you reused the breached password elsewhere, those other accounts are the real targets. Secure them first. Then deal with the breached account itself.
Do not assume the breach is over. Stolen data circulates for years. A breach that happened in 2023 can still lead to credential-stuffing attacks in 2026. This is why ongoing monitoring and unique passwords are so important.
Do not rely on the breached company’s response alone. Companies often offer free credit monitoring after a breach, which is better than nothing but limited in scope and duration. Take your own protective measures rather than relying solely on what the breached company provides.
Final Thoughts
Data breaches are a permanent feature of the digital landscape. No amount of personal caution can prevent a company you trust from being hacked. But you can dramatically reduce the impact of any breach by using unique passwords, enabling two-factor authentication, monitoring your exposure with a breach-scanning service, and acting quickly when a breach occurs.
Start by checking your email addresses on HaveIBeenPwned today. Then set up continuous monitoring through NordPass, Surfshark Alert, or Bitdefender Digital Identity Protection. These are small investments of time and money that can save you from the enormous financial and emotional cost of identity theft.
Check Your Breach Status with NordPass
Get Surfshark Alert Dark Web Monitoring
Related Guides
- Best Identity Theft Protection 2026
- Best Password Managers 2026
- 1Password vs Bitwarden 2026
- How to Create Strong Passwords 2026
- How to Protect Yourself from Phishing 2026
- Best Antivirus Software 2026
- Bitdefender Review 2026
- Surfshark Review 2026
- Best VPN Services 2026
Last updated: March 2026.
Frequently Asked Questions
How do I know if my personal data has been leaked?
The most reliable free method is to check your email address on HaveIBeenPwned.com, which indexes over 14 billion breached records. For broader monitoring, paid services like NordPass breach scanner, Surfshark Alert, and Bitdefender Digital Identity Protection continuously scan dark web marketplaces and paste sites for your personal information, including email addresses, passwords, phone numbers, and financial data.
Is HaveIBeenPwned safe and trustworthy?
Yes. HaveIBeenPwned was created by Troy Hunt, one of the most respected figures in cybersecurity. The site has been endorsed by major organizations including the FBI, the UK National Crime Agency, and the Australian Federal Police. It does not store your password when you search. It only checks if your email or password hash appears in known breaches.
What should I do immediately if my data has been leaked?
First, change the password for any account that used the compromised credentials. Do not reuse that password anywhere. Enable two-factor authentication on the affected accounts. If financial information was exposed, contact your bank, place a fraud alert on your credit report, and consider a credit freeze. Monitor your accounts closely for unauthorized activity for at least 90 days.
Can I remove my data from the dark web once it has been leaked?
No. Once data is published on the dark web, it cannot be recalled or deleted. The information is typically copied, reshared, and sold across multiple forums and marketplaces. What you can do is render the leaked data useless by changing passwords, enabling 2FA, freezing your credit, and monitoring for fraudulent use. Prevention through strong, unique passwords and a password manager is far more effective than damage control.
How often do data breaches happen?
Frequently. The Identity Theft Resource Center reported over 3,200 publicly disclosed data breaches in 2025, exposing billions of individual records. However, the actual number is likely higher since many breaches go unreported or are discovered months or years after they occur. On average, a major breach is publicly disclosed almost every day.
Is dark web monitoring worth paying for?
For most people, yes. Free tools like HaveIBeenPwned check for email and password exposure, but paid dark web monitoring services scan for a broader range of personal information including phone numbers, Social Security numbers, credit card numbers, and physical addresses. They also provide continuous monitoring with real-time alerts rather than requiring manual checks. Services like NordPass, Surfshark Alert, and Bitdefender Digital Identity Protection offer this at reasonable prices.
What is the difference between a data breach and a data leak?
A data breach involves unauthorized access to a system, typically through hacking, malware, or social engineering. A data leak is an unintentional exposure of data, often caused by misconfigured databases, accidental public uploads, or insider errors. Both result in personal data being accessible to unauthorized parties, and the response should be the same regardless of the cause.
Should I pay ransom if someone threatens to release my leaked data?
No. Never pay ransom or respond to extortion emails. Many extortion attempts are scams that reference publicly available breach data to create a false sense of urgency. There is no guarantee that payment will prevent data release, and paying encourages further criminal activity. Instead, change your passwords, enable 2FA, freeze your credit if financial data is involved, and report the extortion to local law enforcement and the FBI IC3.