Skip to main content

Email Breach Checker

Check if your email or password has appeared in a known data breach. Powered by XposedOrNot — free, open-source breach monitoring with risk scoring.

Check if your email appeared in a known data breach. Powered by XposedOrNot — open-source, free breach monitoring. Your email is proxied through our server and never stored.

Add a VPN for complete protection

A VPN prevents your ISP and network from seeing which sites you log into, adding an extra layer of defence even when credentials have been exposed.

Get LimeVPN — From $5.99/mo
🕵️ Data Broker Check VPN Connection Check 🛡 Site Privacy Scanner

Quick Answer

Enter your email to check against billions of records from thousands of known data breaches. The password check uses k-anonymity — only the first 5 characters of your SHA-1 hash are sent to the API, so your actual password is never transmitted. Powered by XposedOrNot.

  • • Data breach records cover billions of accounts from Yahoo, LinkedIn, RockYou, Adobe and thousands more
  • • Risk score (0–100): 100 = multiple breaches with plain-text passwords
  • • k-anonymity: your password hash is never sent — only a 5-char prefix
  • • Change breached passwords immediately + enable 2FA on affected accounts

What Is a Data Breach?

A data breach occurs when an attacker gains unauthorised access to a company's database and extracts user records. The stolen data — emails, passwords, names, phone numbers, credit card details — is typically sold on dark web markets or dumped publicly. Billions of records have been exposed in breaches from companies like Yahoo, LinkedIn, Adobe, RockYou, and hundreds of others.

Even if you don't recognise a breached service, your email may have been included if you ever used that service, or if an aggregator purchased data containing your address.

Why Password Reuse Is Dangerous

Attackers use "credential stuffing" — automatically trying breach credentials against hundreds of sites. If you used the same email and password on LinkedIn in 2012 as you use on your bank today, a credential stuffing attack could compromise your bank account using 10-year-old stolen data.

The solution is a password manager (Bitwarden, 1Password, Proton Pass) that generates a unique, random 20+ character password for every service you use. With a password manager, a breach of one service cannot compromise any other.

The k-Anonymity Password Check Model

The password check uses a model designed to be completely private. Here's exactly what happens:

01

Your password is SHA-1 hashed in browser

The hashing runs entirely in your browser using JavaScript — for example, "password123" becomes "CBFDAC6008F9CAB4083784CBD1874F76618D2A97". Nothing is sent yet.

02

Only first 5 characters sent to API

Only the first 5 hex characters of the SHA-1 hash (e.g., "CBFDA") are sent to the HaveIBeenPwned Pwned Passwords API. Your password and its full hash remain on your device.

03

API returns all matching hash suffixes

The API responds with thousands of hash suffixes that begin with those 5 characters — all the breached passwords in that prefix range. The API cannot tell which one you're looking for.

04

Browser checks your full hash in that list

Your browser compares the full hash of your password against the returned list locally. If it matches, the password has been seen in a breach. This comparison never leaves your device.

05

Your password/full hash never transmitted

This model was designed by Troy Hunt and Cloudflare and is open source. Cloudflare themselves cannot see which password you checked. Neither can we.

Protect Your Accounts with LimeVPN

Even with strong passwords, a VPN prevents your ISP and network from seeing which sites you log into. LimeVPN adds a critical layer of account security.

Get LimeVPN — From $5.99/mo

AES-256 Encryption · No-Logs Policy · 30+ Locations · Kill Switch

Frequently Asked Questions

What is XposedOrNot?
XposedOrNot is a free, open-source breach monitoring API. It aggregates data from thousands of known data breaches and provides real-time alerts for email and domain exposure. It covers billions of compromised records and returns rich metadata per breach: password risk level (plain text vs. hashed), industry, verification status, and the specific data types exposed.
Is it safe to enter my email here?
Your email is sent to our server, which forwards it to the XposedOrNot API. We do not store, log, or share your email address. The query returns only public breach metadata. If you prefer not to enter your email here, you can check directly at xposedornot.com.
How is the password check private?
The password check uses the k-anonymity model designed by Troy Hunt and Cloudflare. Your password is SHA-1 hashed entirely in your browser. We send only the first 5 characters of the hash to the HaveIBeenPwned Pwned Passwords API, which returns all matching suffixes. We check whether your full hash appears in that list — your actual password or full hash never leaves your device.
What should I do if my email is in a breach?
Change the password for the affected service immediately, especially if passwords were in the breach data. Enable two-factor authentication (2FA) on all affected accounts. Check if you reused the same password on other services — if so, change those too. Be alert to phishing emails using information from the breach (like your real name or partial account details).
What does the risk score mean?
The risk score (0–100) is calculated by XposedOrNot based on how many breaches were found, what data was exposed, and how easy the leaked passwords are to crack. A score of 100 (Critical) typically means multiple breaches with plain-text or easy-to-crack passwords. A lower score indicates fewer breaches with better password protection.
My password wasn't found — does that mean it's safe?
Not necessarily. The database covers over 13 billion compromised passwords, but new breaches happen constantly. A password not found could still be weak or leaked in an unprocessed breach. Always use a password manager to generate unique, random passwords for every service.

More Privacy Tools

Data Broker Check

Find which data brokers hold your personal information and how to opt out.

VPN Connection Check

Instantly verify your VPN is working — IP, IPv6, WebRTC, and DNS in one test.

Site Privacy Scanner

Scan any website for security headers, HTTPS status, and third-party trackers.

LimeVPN Security Features

Kill switch, DNS protection, AES-256 encryption explained.