Has your email been hacked? If you’ve ever used the internet — signed up for an account, made a purchase online, or subscribed to a newsletter — there’s a good chance your email address has been exposed in at least one data breach. Over 10 billion accounts have been compromised in known data breaches over the past decade.
The scary part isn’t just that your email was leaked — it’s what comes with it. Data breaches often expose your password, phone number, address, and other personal information alongside your email. That data ends up on the dark web and in the hands of criminals who use it for identity theft, phishing attacks, and account takeovers.
Here’s how to check if your email has been compromised, what to do about it, and how to prevent future damage.
Quick check: Before you dive into this guide, run a free Optery scan to see how much of your personal information is publicly available on data broker sites right now. Breached email data often ends up on data broker sites alongside your name, address, and phone number.
How to Check If Your Email Has Been Breached (30 Seconds)
Checking if your email has been hacked is fast and free:
Step 1: Go to Have I Been Pwned. Visit haveibeenpwned.com — this is the most trusted and comprehensive breach-checking tool on the internet. It was created by security researcher Troy Hunt and is used by millions of people and organizations worldwide.
Step 2: Enter your email address. Type your email address into the search box and click “pwned?” The site will instantly check your email against billions of breached records.
Step 3: Review the results. If your email has been found in any breaches, you’ll see a list of the specific incidents — including the company that was breached, when it happened, and what types of data were exposed (email, password, phone number, address, etc.).
Step 4: Check all your email addresses. Don’t just check your primary email. Check your work email, old email addresses, and any other accounts you’ve used for online signups.
If Have I Been Pwned shows your email in zero breaches — congratulations, but stay vigilant. New breaches happen constantly, and your email could appear in a future one.
If it shows your email in one or more breaches — don’t panic, but take action. Keep reading.
What Does It Mean If Your Email Was Breached?
Finding out your email was hacked or breached means that a company you gave your email address to was compromised, and your data was stolen from their systems. Here’s what that means practically:
Your email + password may be exposed. If you used the same password on the breached site as other accounts, criminals can use those credentials to log into your other accounts. This is called “credential stuffing” and it’s one of the most common attack methods.
Your email is on spam and phishing lists. Breached email addresses get sold in bulk to spammers and phishing operators. If you’ve noticed an increase in spam or suspicious emails, a breach is likely the reason.
Your other personal information may be linked. Many breaches expose more than just emails — phone numbers, addresses, dates of birth, and even Social Security numbers can be part of the leaked data. This information feeds into data broker databases and the dark web.
You’re at higher risk for targeted phishing. When criminals know your email, name, and other personal details (often available from data broker sites), they can craft extremely convincing phishing emails that are hard to distinguish from legitimate messages.
What to Do If Your Email Has Been Breached
If your email has been hacked or appeared in a breach, take these steps immediately:
Step 1: Change Your Passwords — Starting with Email
Your email account is the master key to everything. If someone has access to your email, they can reset passwords on every other account you own. Change your email password first, then change passwords on any accounts where you used the same or similar password.
Use a password manager (Bitwarden is free) to generate strong, unique passwords for every account. Never reuse passwords again.
Step 2: Enable Two-Factor Authentication
Turn on 2FA on your email account immediately. Use an authenticator app (Google Authenticator, Authy) rather than SMS codes — SMS can be intercepted through SIM-swapping attacks.
Then enable 2FA on every other important account: banking, social media, shopping, and any account with your payment information or personal data.
Step 3: Check for Unauthorized Access
Most email providers let you see recent login activity:
Gmail: Scroll to the bottom of your inbox and click “Details” under “Last account activity.”
Outlook/Microsoft: Go to account.microsoft.com → Security → Sign-in activity.
Yahoo: Go to Yahoo Account → Recent Activity.
Look for logins from unfamiliar locations, devices, or IP addresses. If you see anything suspicious, change your password immediately and sign out of all other sessions.
Step 4: Freeze Your Credit
If the breach included sensitive information beyond just your email (SSN, date of birth, financial data), freeze your credit with all three bureaus immediately. This prevents anyone from opening new accounts in your name. It’s free and takes 10 minutes.
Step 5: Remove Your Data from Data Broker Sites
Breached data often makes your data broker profiles even more valuable to criminals. Your exposed email, combined with your name, address, and phone number from data broker sites, creates a complete profile for identity theft.
Run a free Optery scan to see where your personal information is listed on data broker sites. Then remove it:
Optery — Our top recommendation. Free scan to see your exposure. Paid plans ($39-$249/year) automate removal from 350+ sites with continuous monitoring. Read our full Optery review →
Incogni — Best budget option. Covers 180+ data brokers for $6.49/month billed annually. Read our full Incogni review →
Step 6: Watch for Phishing Attempts
After a breach, expect an increase in phishing emails. Be extra cautious about:
Emails asking you to “verify your account” — legitimate companies rarely ask you to click a link to verify your account via email.
Emails with urgent language — “Your account will be suspended” or “Unauthorized activity detected” are classic phishing tactics.
Emails that know personal details about you — if a phishing email includes your real name, address, or other personal details, the attacker likely got that information from data broker sites. This is why removing your data from brokers reduces your phishing risk.
How to Prevent Future Email Breaches
You can’t stop companies from getting hacked — that’s out of your control. But you can minimize the damage when it happens:
Use unique passwords everywhere. If every account has a different password, one breach doesn’t compromise everything. A password manager makes this effortless.
Enable 2FA on every account that supports it. Even if a password is stolen, 2FA prevents unauthorized access.
Use email aliases. Some email providers let you create aliases or “plus addressing” (yourname+shopping@gmail.com). This helps you track which companies leaked your data and limits exposure.
Use a separate email for non-essential signups. Keep your primary email for important accounts (banking, work, personal). Use a secondary email for newsletters, shopping, and online signups. If the secondary email gets breached, your primary stays clean.
Use a secondary phone number. Get a free Google Voice number and use it for online signups. This prevents your real phone number from being exposed in breaches.
Remove your data from data broker sites. The less personal information available about you online, the less useful any breach data becomes. Optery and Incogni handle this automatically.
Set up Google Alerts. Create alerts for your email address so you’re notified if it appears on new websites or in public data dumps.
Check Your Email Right Now
It takes 30 seconds to find out if your email has been hacked. Don’t put this off — the sooner you know, the sooner you can protect yourself.
- Check haveibeenpwned.com with all your email addresses
- Change passwords on any accounts that reuse the same password as breached accounts
- Enable 2FA on your email, banking, and social media accounts
- Run a free Optery scan to see what personal information is publicly exposed on data broker sites
- Freeze your credit if sensitive information was exposed
Your email is the key to your digital life. Make sure it’s secure.
Frequently Asked Questions
How do I know if my email has been hacked?
The fastest way is to check haveibeenpwned.com — enter your email and it will show you every known data breach your email appeared in. Also watch for signs like unexpected password reset emails, unfamiliar sent messages, or a sudden increase in spam.
Is Have I Been Pwned safe to use?
Yes. Have I Been Pwned is operated by Troy Hunt, a well-known and respected security researcher. The site doesn’t store the email addresses you search — it only checks them against its breach database. It’s used by millions of people and recommended by security professionals worldwide.
What should I do first if my email has been breached?
Change your email password immediately, then enable two-factor authentication. After that, change passwords on any accounts using the same password. Then freeze your credit if sensitive information was exposed.
Can I prevent my email from being breached?
You can’t prevent companies from being hacked, but you can minimize damage by using unique passwords, enabling 2FA, and using separate emails for different purposes. Removing your personal data from data broker sites also reduces the value of any breached data.
How are data breaches connected to data brokers?
Breached data (email, password, phone number) often ends up on data broker sites and the dark web. Criminals combine breach data with publicly available data broker information to build complete identity profiles for identity theft. Removing your data from broker sites makes breach data less useful to criminals.
How often should I check if my email has been breached?
Check every few months, or sign up for notifications on haveibeenpwned.com — they’ll email you if your address appears in a future breach. Combine this with Google Alerts for your email for ongoing monitoring.
This post contains affiliate links. If you purchase through our links, we may earn a commission at no extra cost to you. See our affiliate disclosure for details.