Have You Been Pwned? How to Check and What to Do

Massive data breaches make the headlines on a regular basis, and the number of exposed login credentials has risen into the billions. As a privacy-concerned internet user, you need to know what to do when you have been pwned.

What Does Pwned Mean?

According to the Urban Dictionary, a crowdsourced online dictionary for slang words and phrases, there are two possible origins of pwned meaning. According to one theory, pwned originated in an online game called Warcraft, where a map designer misspelled the word owned. The second theory attributes the origin of pwned to a prominent Quake player, who also misspelled the word owned.

Regardless of which of these two possible origins of the word pwned is correct, the term has always loosely meant that someone has been dominated by someone else, first in online video games and later on the internet by hackers.

These days, regular internet users are seldom pwned in the traditional sense of the word. The focus of hackers has shifted to companies storing thousands and sometimes even millions of login credentials. When a company gets pwned, its users are automatically pwned as well.

While companies are under strict obligation to report data breaches in a timely manner, not every company obeys the rules, and those that do sometimes try to downplay the whole situation and make it seem less serious than it really is. That’s why all concerned internet users should familiarize themselves with Have I Been Pwned, a massive online database of pwned passwords and pwned email addresses.

What is Have I Been Pwned?

Have I Been Pwned was created in 2013 by Australian security researcher Troy Hunt, who has so far collected over 5,600,000,000 pwned accounts from more than 300 data breaches. “I started to wonder how many people are actually aware of just how broad this web is spreading, and how many places their data is now exposed,” said Hunt. “I want the people to be aware that they probably need to change their password, and they need to look out for unusual credit inquiries.”

On Have I Been Pwned, you can enter your email address, press Enter on your keyboard, and instantly see on how many breached sites it has been used. You can also get notified when future pwnage occurs, and your account is compromised, which means that you won’t ever again have to ask, “Have I been pwned?”

Have I Been Pwned also has a massive database of passwords in plain text that have been at some point exposed in a data breach. Hunt has come up with a clever way to allow internet users to check whether a given password has ever appeared in any breach without compromising their security. You can read more about how Have I Been Pwned protects the privacy of searched passwords here.

1Password, a password manager that provides a place for users to store various passwords, software licenses, and other sensitive information in a virtual vault, integrates with Have I Been Pwned, allowing its users to conveniently check if their passwords have been leaked on the internet. Linux users can install a small utility called Am I Pwned to verify if their passwords have been compromised directly from the command line.

What to Do If You Have Been Pwned?

“Okay, Have I Been Pwned told me that I’ve been pwned. Now what?” The most important things if one of your online accounts has been pwned is not to panic. While having your login credentials leaked on the internet can be terribly disconcerting, you need to understand that large-scale data breaches happen all the time, so you have at least some time to act and prevent further damage.

Step 1: Change Your Password

If you get pwned, you need to change your password as soon as possible. You should avoid using a password that has been leaked before, so make sure to consult Have I Been Pwned before you finalize your decision. Security experts advocate the use of long passphrases instead of random strings of letters, numbers, and special characters.

Many sites today support Multi-Factor Authentication (MFA), sometimes called 2-Factor or 2-step authentication, and we highly recommend you take advantage of it whenever possible. With MFA, you will be asked to present two or more pieces of evidence in order to be granted access. Most MFA implementations require users to enter a code from their mobile device or email account.

Step 2: Use a Unique Password for Every Online Account

People who use a unique password for every online account are affected by data breaches much less than people who reuse the same few passwords over and over again. One study from 2020 found that 53 percent of people used the same password for all their accounts.

Since then, very little has changed. “52 percent of the users studied have the same passwords (or very similar and easily hackable ones) for different services,” stated researchers at Virginia Tech University and Dashlane analysts after carrying out one of the largest empirical studies on password reuse and modification patterns.

Of course, it would be impossible to remember dozens of different passwords, which is where password managers like 1Password, LastPass, or Bitwarden come in. Password managers can suggest strong password, securely store them in an encrypted vault, and autocomplete them when you want to log in. Even though there are certain security risks associated with them, password managers have again and again proven themselves to be the easiest and safest way to store logins and passwords.

Step 3: Strengthen Your Cybersecurity Defenses

Unfortunately, there’s very little you can do to prevent large-scale data breaches, which is where most pwned emails and pwned passwords come from. However, there’s a lot you can do to strengthen your own personal cybersecurity defenses.

Email is a very common attack vector because it allows malicious hackers to distribute malware with minimal effort and alarmingly great results. Even seasoned computer users who know a lot about cybersecurity sometimes find it difficult to distinguish spam from legitimate emails, and it one mistake is all it takes to get pwned.

The good news is that you can effortlessly block unwanted senders and unsubscribe from all unwanted emails with Clean Email, a bulk email cleaner with powerful filters and intelligent algorithms that only analyze email headers and don’t access the actual content of your emails or attachments.

Clean your inbox with Clean EmailClean your inbox with Clean Email

It takes just a few minutes to get started with Clean Email, and it works with all popular email services, including Gmail, Outlook, and Yahoo.

Privacy Guard feature from Clean Email helps keep your account from getting pwned by ensuring your email wasn’t found in any known data breaches or security incidents.

Privacy Guard from Clean EmailPrivacy Guard from Clean Email

Of course, security breaches happen every day for a variety of reasons. Therefore, your email may get included in a breach. The good news is that even if your security gets breached, Privacy Guard will inform you of the issue. Once Privacy Guard has identified a potential threat, it will give you a suggestion to change your password so you can ensure your account stays secure.

How to Avoid Getting Pwned?

Visiting Have I Been Pwned and discovering that your password has been leaked online and shared by cybercriminals on the dark web is no fun. Fortunately, there are many things you can do to avoid getting pwned, and most of them don’t require any special skills.

1. Update Your Applications and Devices

Cybercriminals are constantly on a lookout for unsecured applications and devices, and they don’t hesitate to exploit any unpatched vulnerability they come across. To avoid getting pwned, you need to make sure that you’re always up to date.

Even though many applications and devices these days support automatic updates, we recommend you don’t rely on them too much. You can, however, make your life easier by using an update checker like Patch My PC or Software Updates Monitor (SUMO).

Don’t forget to check your IoT devices, such as a wireless security camera, smart door lock, or internet-connect thermostat, because leaving them unpatched would invite cyber criminals to your network.

Finally, make sure your anti-malware solution is working as it should, protecting you against the latest threats. These days, there’s no need to spend hundreds of dollars to enjoy a reliable protection against viruses, trojan horses, ransomware, and other cyber threats, so don’t hesitate to use a different anti-malware solution if you’re not satisfied with your current one.

2. Practice Safe Email Habits

Email messages are a common source of malware and scams, so you need to practice safe email habits whenever you enter your inbox. To start with, pay attention to all messages you receive and think twice before you click on anything. When an email message looks suspicious, the chances are that it really is a scam or malware.

If you’re unsure, answer the following questions:

  1. Do you know the sender?
  2. Have you been expecting this message?
  3. Does the subject line look legitimate to you?
  4. Do you feel that you should open the email?

If you’ve answered “no” to one or more of these questions, we recommend you avoid opening the email message since it’s very likely that it’s not legitimate.

3. Fight Junk Emails

Analyzing each and every email message from an unknown sender you receive can be an extremely time-consuming process, which is why it’s paramount to fight junk emails and prevent them from ever reaching your inbox.

Take advantage of Clean Email’s unsubscribe feature and get rid of all subscriptions you don’t want to receive:

  1. Go to: https://app.clean.email
  2. Sign in with your email address and password.
  3. Select the Unsubscriber feature from the left pane.
  4. Click the Unsubscribe button to unsubscribe.
Unsubscribe from emails with Clean EmailUnsubscribe from emails with Clean Email

To avoid getting on more subscription lists in the future, consider creating another email address and using it exclusively for online shopping and other activities that are likely to result in subscription emails. Use disposable email services like Guerrilla Mail when registering on websites that don’t seem trustworthy to you.

4. Use Multi-Factor Authentication

Multi-factor authentication requires you to present two or more unique pieces of evidence to gain access to your account. The first piece of evidence required is usually a password, which is followed by a temporary authentication code, fingerprint scan, or some other form of identification.

These days, multi-factor authentication is supported by virtually all major email providers, as well as countless websites and applications. With multi-factor authentication activated, a cybercriminal won’t be able to gain access to your account even if they know your password.

The only downside of multi-factor authentication is that it makes login attempts more time consuming, but that’s a small price to pay for significantly improved security.

If you would like to take multi-factor authentication to the next level, consider using a physical security token, such as YubiKey, which is a small hardware device with an encryption key on it. Without this hardware device, nobody can gain access to your account.

5. Generate a Unique Password for Each Account

The sad truth is that you can’t always avoid getting pwned because the security of your personal information and data is also in the hand of the company on which servers they are stored. The best thing you can do is accept data breaches as something inevitable and do as much as possible to minimize the fallout.

More specifically, you should generate a unique password for each account you have. This can be easily done with the help of a password manager like Bitwarden. A password manager can safely store your passwords, keep them synchronized across your devices, and automatically fill login fields to save you time.


If you’ve been pwned, you’re certainly not alone. Countless people become the victims of large-scale data breaches every day, and many more get pwned by spammers sending malicious links via email. In this article, we’ve explained how you can find out if you’ve been pwned and the steps you should take to prevent further damage.

Have You Been Pwned - FAQs

Is have I been pwned legit?

Yes, "Have I Been Pwned" service is completely legit. This source helps you identify if your data has gotten used without your knowledge. Today, you can never be too careful. Considering data breaching incidents can affect hundreds or thousands of email accounts at once, it is difficult to track where your data and information get used. So, using a resource like "Have I Been Pwned" helps you maintain a handle on your information and who may have access to it.

Is being pwned dangerous?

Yes, unfortunately, being pwned can be extremely dangerous. Due to the sad commonality of being hacked and companies trying to downplay the severity of any incidents that occur, people tend to think of being pwned as no big deal. However, being pwned can lead to identity theft which could take years of fees, legal problems, and immense stress to resolve. That is why it is so important to have an identifying agent like Privacy Guard from Clean Email on your side.

What happens if I have been pwned?

If you get pwned, hackers will take control of your accounts. They could lock you out, but more embarrassingly, they can send spam, malware-ridden, or phishing emails to your contacts. While most people understand that getting hacked is an unfortunate reality, not taking the right precautions could get you into trouble with your job or even personally if the hacker uses your information to pwn someone else.

How does Google know my passwords are compromised?

Google has a built-in password manager. This password manager is what checks if passwords are weak and also checks if your password is compromised. The manager can check automatically when you log into websites, but you can check your password manually through this process: Settings → Passwords → Check passwords → Check Now. If the password manager determines that your password is compromised, you should take security actions immediately.

How secure is your password?

The security of your password depends on the length and complication of your password, the type of encryption you are using, and whether you are using a VPN, a stable, private internet connection, or the least secure of all, public WiFi. Security experts advise that passwords should be 16 characters or more, with a variation of letters, numbers, and special characters. This length and complication are difficult for most people. So, this would be where a password manager comes in handy. Plus, it is recommended to use only one password per account and always enable two-factor authorization.

Try Clean Email for Free
*****4.4based on 1011 user reviews
Get Started
InboxClean Your Mailbox

Tools like Quick Clean and Smart Views to help you quickly clean out an overloaded inbox

Mute unwanted emailsUnsubscribe

Keep unwanted emails out of your Inbox by unsubscribing - even from email lists that don’t have an unsubscribe link

Clean your emailsKeep it Clean

Automate repetitive with Auto Clean rules to archive emails as they become old or sort them into folders

Use filters to find emails you want to clean.Arrow
Screener FeatureArrow
Auto CleanArrow
Sender SettingsArrow