Check if your credentials have ever been leaked in a data breach! (General cyber hygiene)

Breaches happen every day and a new threat actor pops on the dark web selling databases (Zomato 2017, Ixigo, BigBasket 2021 etc). I come across them on a regular basis and so do malicious actors who procure such databases at a minimal cost and leverage the information in these databases (credential stuffing/re-use) and do further damage. Such information can be dominantly seen on the surface web as well (it may be outdated).

Point being, keep a track of your emails and where you’ve used them, regularly check for leaks in data breaches, frequently change passwords and use multi factor authentication (Authy) wherever possible!

Hands down my first recommendation to folks to validate if their information (emails, passwords, IP, other PII) has ever been leaked as a part of any data breaches.

Just my first contribution to the community, hope it helps someone! Cheers. :slight_smile:


This site is super helpful, I make it a point to check every couple of months! Thank you for posting.

1 Like

It does not seem to update the email addresses if the user has changed the password or enforced two-factor authentication.

How would that be possible? It can only verify the information using a breached database which is submitted to/accessed by the HIBP team. If you update/modify any settings on your account, it will not be visible to anyone else other than yourself.

Unless I subscribe using an email address, I may not get updates on whether this email address has been listed in a breached database again.

Yes, you can check whether an email address is listed or not.

At this point, I’m not even sure what you mean. Of course you can check whether you’re listed in a breach or not, despite opting for a notification or doing it manually.

I thought your point was how would HIBP know whether you’ve changed your password/enforced 2FA. They can’t.

I know that HIBP would not know whether users have changed their password/enforced 2FA.

This means that when people search email IDs they will still be listed. That list is not dynamic, but it does help people to check. That is my point.

Yes, it will be listed along with the dates when their info was listed in a breach. So if my password was leaked in a breach that happened in 2017 and I changed my password in 2021; I’m good, simple as that.