How to Use 'Have I Been Pwned' to See If Your Data Was Compromised
- Oops!Something went wrong.Please try again later.
The site can reveal whether your log-in credentials, financial data, or other details have been stolen or leaked online, and send email alerts about new data breaches
By Yael Grauer
Data breaches have affected most of us in recent years, leading to unauthorized access to log-in credentials, financial information, and personal data. All of that can be used by criminals intent on committing fraud.
To tighten up your digital security, it’s important to know which accounts have been affected. That’s a task you can accomplish at Have I Been Pwned, a free website that’s widely recommended by security experts. (The term “pwn” is hacker jargon for compromising or taking control of a computer or an application.)
Created by an Australian web security consultant, Troy Hunt, the site analyzes information from hundreds of breaches and millions of compromised accounts, data that often ends up posted online and traded by criminals. The site lets you enter an email address or a phone number to find out whether it has appeared in any of the data breaches the site tracks. Then you can change your passwords and take other steps to protect yourself.
Consumer Reports has been steering people to Have I Been Pwned for years, and security-savvy consumers may have used it before. But the site has gradually become more robust, adding features and expanding its records of compromised data. And, unfortunately, data breaches continue to occur. So even if you’ve checked out the site before, it’s worth another look.
What Have I Been Pwned Lets You Do
The site has a number of functions for both one-time users and returning visitors.
Search for Your Information
The primary function of Have I Been Pwned is to tell you whether your information has been compromised. Enter your email address or phone number and you’ll get a list of data breaches tied to those details. The site will also provide information such as when each data breach happened, the name of the affected company, what data was compromised, how the breach was discovered, and how many accounts were involved.
Sign Up for Notifications
You can sign up to receive an email notification every time your personal information is found in a new data breach. That will allow you to take steps to minimize the risk of fraud or identity theft, such as changing your password on that account—and any other accounts where you used the same password.
Stop Other People From Seeing Your Data
You can opt out of letting other people enter your email address and find out which data breaches have affected you. You provide the site with your email address, then follow a link from the email you receive to choose exactly how you want to opt out. (For instance, in addition to stopping others from searching for breaches related to your email address, you can have your email address removed from the system altogether.)
By default, data breaches that Hunt considers sensitive—such as breaches on adult sites—are not publicly searchable. Those details are revealed only to people who sign up to receive email notifications.
Troy Hunt's Advice on Staying Safe
Have I Been Pwned is a useful resource for finding out when you’ve been affected by a data breach, but it’s best to get ahead of the problem by making your accounts more secure. Two important steps, Hunt says, are enabling multifactor authentication and using a password manager to generate and save strong passwords.
If you do that, you may end up accessing Hunt’s data without actually going to his site. The password manager 1Password, which costs $3 per month and up, comes with a feature called Watchtower that lets you compare your passwords against a list of compromised passwords maintained by Have I Been Pwned. Then, 1Password will tell you which passwords to change right away.
Data from Have I Been Pwned is also used in browser extensions such as Okta’s PassProtect for Chrome.
Hunt says one of the best uses for Have I Been Pwned is to learn about how much information you’re sharing online. “There’s a little bit of data minimization that almost everybody can practice,” he says. “For example, do you need to give your date of birth to a site that asks for it? What is the value proposition for you as an individual handing out your date of birth?”
If the site doesn’t really need a piece of information to provide you with the service you want, consider withholding it, he says.
More from Consumer Reports:
Top pick tires for 2016
Best used cars for $25,000 and less
7 best mattresses for couples
Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2022, Consumer Reports, Inc.
