How to tell if your password has been stolen

Coming up with a strong, unique password and storing it in a password manager or browser isn’t good enough. You need to know if and when your password was stolen in a password breach, so you can act quickly enough to change that password before your personal information is potentially compromised. Here’s how.

It’s been some time since the massive Collections breaches of 2019 leaked literally billions of email addresses and passwords to the web, putting the security of those accounts at risk. The problem users faced at the time was a limited number of ways to tell if they were actually at risk. Now, there are many password monitoring services that will reveal if your password has been stolen. Many are designed to let you quickly take action and change them.

More stories

The best password managers

Why your browser’s password manager isn’t good enough

5 alarming facts in honor of World Password Day

Basic services to reveal email breaches

Two reputable services to check this information existed at the time of the Collections breach, and still do: HaveIBeenPwned, and a service run by the Hass-Platner-Institut in Potsdam, Berlin. Both ask you to enter your email address (not your password!), and both will then match your email address against a database of known breaches. 

Both services have their appeal. HaveIBeenPwned’s reputation attracts those who wish to publicize their attacks, so the site’s breach reporting seems comprehensive. The site will list the breaches that an email address has been caught up in, along with any corollary information—such as your gender or what your phone number is, for example. The site organizes the breaches by the service attacked, not the date. Why is this important? Because if your email was exposed in a breach in 2016, for example, chances are that your password has been changed since then. But if your email and password were exposed last month, you’ll want to change them right away.

haveibeenpwned detail

HaveIBeenPwned supplies a large amount of information in regards to breaches, but it could be better organized.

HaveIBeenPwned also publishes the breach information for any email address, which is handy for checking up on friends and family, though it isn’t the most privacy-conscious.

HPI’s service takes a different approach. It lists the breaches by date, along with a matrix of what information was exposed. If you enter an email address on the site, it will send a security report to that specific email, along with a color-coded chart of what data is at risk, and from what breach.

hpi identity leak checker Hass-Platner-Institut Hass-Platner-Institut

HPI will send you a matrix of what information has been released in conjunction with your email, organized by most recent. 

Browsers are adding password monitoring for free

Both of the above services only reveal if a specific email address has been part of a breach, however—not if a non-email username—“billg,” say—has been exposed. Here, you’ll want a trusted service that knows you, as well as the passwords that you’ve chosen. Don’t go chasing random sites to “check” your passwords—you’ll want to stick with a few trusted names. (Also, note that password monitoring is a paid service for most password managers—but not for password managers within a web browser.)

Google Password Checkup

In 2019, Google added a free browser plugin for Chrome that warned you, once you’d logged into a compromised site, if your email or password had been compromised. In October of 2019 Google began automatically checking passwords against breaches, and as of Chrome 79 began monitoring your online use to avoid getting “phished,” or lured into divulging your password under false pretenses.