large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

How to find out if your password has been compromised

We’re all online, and that means our data is, too. A poorly secured database, unknown zero-day vulnerability, or a simple security oversight is enough for an opportunistic hacker to take advantage of and make away with large customer databases.

User data stolen from electricity suppliers, to hotel chains, dating sites, government agencies, Sony and Facebook has all appeared for sale on the dark web. Here’s how to see if yours was included in any of the heists.

The Short Version

  1. Go to Have I Been Pwned
  2. See what breaches include your details
  3. Secure compromised accounts
  4. Check your bank cards
  5. Check for reused passwords
  1. Step
    1

    Go to Have I Been Pwned

    Go to https://haveibeenpwned.com/ and enter your email address – phone numbers used to log into online services can also be checked.An address is typed into the Have I Been Pwned website

  2. Step
    2

    See what breaches include your details

    If you get an ‘Oh no — pwned!’ result, scroll down to see which breaches your details were included in.A screenshot from Have I Been Pwned results show that an address was found in breaches of Epik and Patreon

  3. Step
    3

    Secure compromised accounts

    Log into the affected account and change your password. If you don’t need the account any more, delete it.Patreon settings screen shows a new password being entered

  4. Step
    4

    Check your bank cards

    If full payment card data was included in the breach – and this a relatively rare occurrence – check to see which cards you have registered with the breached account. If they’re still active, you should ask your bank to issue replacements.Patreon stored payment details screen

  5. Step
    5

    Check for reused passwords

    Finally, check all your other accounts to make sure you haven’t used the same password anywhere else. If you use a password manager, just search for the password in question. If find any repeated uses, log in to each account, change your password immediately and check the account’s login history for any IP addresses or locations that you don’t recognise.KeeWeb password manager is being searched for the word "password"

Next steps

Once included in a breach, your credentials – your username and password – are very likely to be tried on multiple other sites by opportunistic thieves. This is the main reason to never re-use passwords.

If you aren’t already using a password manager, this is a great time to start. It’s important to create a unique and memorable pass phrase as your master password, and to never use it for anything else.

My current favourites are Bitwarden and, if you’re a more technical user who prefers to control where your password database is stored, KeeWeb and Authpass, both of which use KeePass’s kdbx database standard.

A number of password managers include breach checking in some of their subscription tiers. 1Password integrates Have I Been Pwned? – the code for which has been open sourced by creator Troy Hunt – and is heavily promoted on the site via a partnership, but is not your only option for in-password-manager breach checking.

Dashlane, LastPass and Bitwarden, among others, all alert you to compromised credentials in your password collection.

Kaspersky Password Manager

Kaspersky Password Manager

Your digital activities made simple

Keep your passwords and documents in a secure private vault – and access them with one click from all your devices.

  • Kaspersky
  • Yearly renewal
  • £10.49 per year
Buy now

Personal data breaches

Most major breaches only include email addresses, passwords and perhaps four digits of a payment card. But some hacks, including the 2015 Patreon and and 2020 People’s Energy breaches, resulted in the loss of physical addresses and even dates of birth, which provides bad actors with more ammunition for identify theft.

Fortunately, you need more than someone’s home address to steal their identity, but this kind of data can be used, with other personal information, to get past secret questions for banks and government agencies. If you suspect that such data has been compromised, keep an eye on any accounts that use it, and make sure you’ve chosen different security questions for identity confirmation.

While you can’t put the genie back in the bottle, you can keep other personal information that could supplement such information from getting out. This would be a good time to set your Facebook account to friends-only and avoid discussing the name of your first pet in online forums – solid security practice at the best of times.

You can’t control whether an online service you use gets breached, but you can minimise your potential risk by never reusing passwords (or using very similar passwords everywhere), closing any accounts you no longer need, and regularly checking on whether your details have been included in a beach.

Keep your passwords secure with Kaspersky Password Manager – Just £10.49 per year

Troubleshooting

If you’re still concerned about your security, you can use the below FAQ to help further protect yourself.

Which is the best anti-virus you can get to protect yourself?

Trusted Reviews regularly reviews most of the common anti-virus services, ranking them on key metrics including ease of use, reliability and price. You can see our results in our best anti-virus guide.

Will a VPN help protect my data?

Virtual Private Networks are a great way to protect your privacy in many instances, though a password breach isn’t one of them. You can get a detailed breakdown of what a VPN is and how it helps protect your privacy in the attached guide.

How can I stop my passwords being stolen?

There are a variety of ways to protect passwords, ranging from using strong unique keys for each account to avoiding clicking on infected links. You can see a full breakdown of our current advice in the attached how to secure your passwords guide.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.