We’re all online, and that means our data is, too. A poorly secured database, unknown zero-day vulnerability, or a simple security oversight is enough for an opportunistic hacker to take advantage of and make away with large customer databases.
User data stolen from electricity suppliers, to hotel chains, dating sites, government agencies, Sony and Facebook has all appeared for sale on the dark web. Here’s how to see if yours was included in any of the heists.
The Short Version
- Go to Have I Been Pwned
- See what breaches include your details
- Secure compromised accounts
- Check your bank cards
- Check for reused passwords
Go to Have I Been Pwned
Go to https://haveibeenpwned.com/ and enter your email address – phone numbers used to log into online services can also be checked.
See what breaches include your details
If you get an ‘Oh no — pwned!’ result, scroll down to see which breaches your details were included in.
Secure compromised accounts
Log into the affected account and change your password. If you don’t need the account any more, delete it.
Check your bank cards
If full payment card data was included in the breach – and this a relatively rare occurrence – check to see which cards you have registered with the breached account. If they’re still active, you should ask your bank to issue replacements.
Check for reused passwords
Finally, check all your other accounts to make sure you haven’t used the same password anywhere else. If you use a password manager, just search for the password in question. If find any repeated uses, log in to each account, change your password immediately and check the account’s login history for any IP addresses or locations that you don’t recognise.
Once included in a breach, your credentials – your username and password – are very likely to be tried on multiple other sites by opportunistic thieves. This is the main reason to never re-use passwords.
If you aren’t already using a password manager, this is a great time to start. It’s important to create a unique and memorable pass phrase as your master password, and to never use it for anything else.
My current favourites are Bitwarden and, if you’re a more technical user who prefers to control where your password database is stored, KeeWeb and Authpass, both of which use KeePass’s kdbx database standard.
A number of password managers include breach checking in some of their subscription tiers. 1Password integrates Have I Been Pwned? – the code for which has been open sourced by creator Troy Hunt – and is heavily promoted on the site via a partnership, but is not your only option for in-password-manager breach checking.
Dashlane, LastPass and Bitwarden, among others, all alert you to compromised credentials in your password collection.
Kaspersky Home Security
Keep your online activity safe and private across multiple devices – without compromising speed.
Check out Kaspersky’s new security plans from just £10.99 per year
- Money back guarantee
- from £10.99
Personal data breaches
Most major breaches only include email addresses, passwords and perhaps four digits of a payment card. But some hacks, including the 2015 Patreon and and 2020 People’s Energy breaches, resulted in the loss of physical addresses and even dates of birth, which provides bad actors with more ammunition for identify theft.
Fortunately, you need more than someone’s home address to steal their identity, but this kind of data can be used, with other personal information, to get past secret questions for banks and government agencies. If you suspect that such data has been compromised, keep an eye on any accounts that use it, and make sure you’ve chosen different security questions for identity confirmation.
While you can’t put the genie back in the bottle, you can keep other personal information that could supplement such information from getting out. This would be a good time to set your Facebook account to friends-only and avoid discussing the name of your first pet in online forums – solid security practice at the best of times.
You can’t control whether an online service you use gets breached, but you can minimise your potential risk by never reusing passwords (or using very similar passwords everywhere), closing any accounts you no longer need, and regularly checking on whether your details have been included in a beach.
If you’re still concerned about your security, you can use the below FAQ to help further protect yourself.
Trusted Reviews regularly reviews most of the common anti-virus services, ranking them on key metrics including ease of use, reliability and price. You can see our results in our best anti-virus guide.
Virtual Private Networks are a great way to protect your privacy in many instances, though a password breach isn’t one of them. You can get a detailed breakdown of what a VPN is and how it helps protect your privacy in the attached guide.
There are a variety of ways to protect passwords, ranging from using strong unique keys for each account to avoiding clicking on infected links. You can see a full breakdown of our current advice in the attached how to secure your passwords guide.