Over 12 billion accounts have been exposed in data breaches. Here's how to check if yours is one of them — and the exact steps to take if it is.
I got the notification on a Tuesday afternoon. "Your information was found in a data breach." The service that sent the alert was one I hadn't used in four years. A forum for a hobby I'd long since abandoned. The breach had exposed my email address, a hashed password, my IP address at the time of registration, and my date of birth — which I'd entered honestly because in 2019 I didn't think twice about it.
That password? I'd reused it on three other services. One of them was my primary email.
I spent the next six hours changing passwords, enabling two-factor authentication on everything I could find, and sitting with the uncomfortable realization that my digital life had been one lazy credential-stuffing attack away from complete compromise. For four years.
This is the post I wish I'd read before that Tuesday. Not the sanitized corporate version that tells you to "remain vigilant." The real version — what data breaches actually expose, how to check if you're affected, and the exact steps to take when you are. Because statistically, you are.
The numbers are genuinely staggering. As of early 2026, over 12 billion account records have been exposed in confirmed data breaches. That's not 12 billion unique people — many of us appear in multiple breaches — but it means the odds of your email address being in at least one breach database are extremely high.
Let me put this in perspective. If you've had an email address since 2010 and used it to sign up for more than a dozen services, you've almost certainly been breached. The question isn't whether your data has been exposed. It's how many times, and what was taken.
The breach landscape has also changed. A decade ago, breaches were big news. Yahoo losing 3 billion accounts made global headlines for weeks. Now, a breach affecting 10 million users barely makes it past the tech news cycle. We've developed breach fatigue — and that's exactly what attackers are counting on.
Understanding the scale helps you understand why checking matters. Here are the breaches that reshaped the internet:
Yahoo (2013-2014): 3 billion accounts. Every single Yahoo account that existed. Names, email addresses, dates of birth, hashed passwords, and in some cases, security questions and answers. Yahoo didn't disclose this until 2016 — three years later. If you had a Yahoo account in 2014, your data was stolen. Period.
LinkedIn (2012, disclosed 2016): 164 million accounts. Email addresses and passwords hashed with SHA-1, which is trivially crackable by modern standards. The stolen data was sold on dark web markets for years. LinkedIn only admitted the full scope four years after the breach.
Facebook (2019): 533 million accounts across 106 countries. Phone numbers, full names, locations, email addresses, biographical information. This data was posted freely on a hacking forum in 2021. Facebook's response was essentially "this is old data" — as if your phone number changes every year.
Equifax (2017): 147 million Americans. Social Security numbers, birth dates, addresses, and in some cases, driver's license numbers. This wasn't a social media account. This was a credit bureau — a company most people never chose to do business with — losing the most sensitive financial data possible.
Collection #1-5 (2019): 2.2 billion unique email/password combinations aggregated from multiple breaches and sold as a single package. Not a single breach, but a compilation — essentially a master key set assembled from years of stolen data.
MOVEit (2023): Over 2,600 organizations and 77 million individuals affected through a single vulnerability in a file transfer tool. This one demonstrated how supply chain attacks can cascade — one vulnerable product, thousands of compromised organizations.
These are just the headliners. There are thousands of smaller breaches every year that collectively expose billions more records.
Not all breaches are equal. What gets exposed depends on what the breached service collected in the first place — which is a good argument for giving companies as little data as possible.
Almost always exposed:
Frequently exposed:
Sometimes exposed:
The worst case:
The type of data exposed determines your risk level. An email address alone is low-risk — you'll get more spam. An email plus a plaintext password is high-risk — attackers will try that combination on every major service within hours. An email plus SSN plus date of birth is critical — that's enough for identity theft.
You'll see these terms thrown around, and they mean different things:
Breach: A direct compromise of a service's database. Someone broke into LinkedIn's servers and copied the user table. The data comes from one specific source.
Paste: Data posted to a public paste site (like Pastebin or its successors). Attackers often dump samples of breached data to prove they have it, to share it with other attackers, or just to show off. A "paste" means your data appeared in one of these public dumps.
Combo list: A compiled list of email/password pairs aggregated from multiple breaches. These are the shopping lists that credential-stuffing bots use. Someone takes the LinkedIn breach, the Adobe breach, the Dropbox breach, and dozens of smaller ones, deduplicates them, and creates a master list. Collection #1-5 was essentially a mega combo list.
Stealer log: A newer category. Malware on someone's computer captures every credential they type or that's stored in their browser. These logs contain not just email/password pairs but also the URL they belong to, cookies, and sometimes autofill data including credit cards. Stealer logs are particularly dangerous because they capture current, active credentials — not old ones from a breach three years ago.
Understanding these categories matters because they affect your response. If your data appears in a breach from 2015, you probably already changed that password (I hope). If it appears in a fresh stealer log, someone might have access to your accounts right now.
There are several legitimate services that aggregate breach data and let you check your email address against their databases.
Have I Been Pwned (HIBP): The gold standard. Created by security researcher Troy Hunt, HIBP has indexed over 700 data breaches containing more than 12 billion accounts. You enter your email, and it tells you which breaches you appear in and what data was exposed. It's free, it's trustworthy, and Troy has been transparent about how the service operates since day one.
Firefox Monitor: Built on top of HIBP's database, integrated into Firefox. If you use Firefox, you may have already received breach notifications without signing up for anything.
Google Password Checkup: If you use Chrome and save passwords in Google's password manager, this checks your stored credentials against known breached databases. It doesn't just check your email — it checks specific email/password combinations, which is more useful.
Apple's built-in detection: If you use iCloud Keychain, Apple checks your saved passwords against known breaches and warns you directly in Settings > Passwords.
Here's what you should actually do:
Don't just check your primary email. Check that old Hotmail address. The Gmail you made for a specific purpose. The work email. The throwaway you used for sketchy sign-ups. Each one is a potential entry point.
Finding out you're in a breach can feel overwhelming. Here's the exact sequence I follow, in priority order:
You've been in this breach for however long it took to be discovered and reported. The data has been circulating. But every hour you wait to respond is another hour someone could be using your credentials. Treat it with urgency, not panic.
Log into the breached service and change your password immediately. If you can't log in because someone already changed it, use the account recovery flow. If that doesn't work, contact the service's support directly.
Your new password should be:
This is the painful step. If you reused the breached password on other services — and be honest with yourself about this — you need to change it on every one of them. Not tomorrow. Today. Right now.
Credential stuffing attacks are automated. Within hours of a breach being made available, bots are testing those email/password combinations against hundreds of popular services. They'll try your Gmail, your bank, your Amazon, your PayPal. If the password works, they're in.
On the breached service and on every service that supports it — especially email, banking, and social media. More on this in a dedicated section below.
Look at recent activity on the breached service and on any service where you reused the password:
If the breach included credit card numbers, bank details, or SSN:
If SSN, passport numbers, or driver's license numbers were leaked:
Save screenshots of breach notifications, activity logs, and any unauthorized access you discover. If this escalates to identity theft, you'll need documentation for disputes, police reports, and insurance claims.
Let me be blunt: password reuse is the single biggest security risk most people face online. Not sophisticated zero-day exploits. Not nation-state hackers. Reusing the same password across multiple services.
Here's how the attack works:
This isn't theoretical. Credential stuffing is one of the most common attack vectors on the internet. It works because people reuse passwords. Every single time a major breach happens, there's a corresponding spike in account takeovers on unrelated services — because millions of people used the same password everywhere.
The solution is a password manager. I don't care which one. 1Password, Bitwarden, KeePass, Dashlane, the one built into your browser — any of them. The point is:
"But what if the password manager gets breached?" I hear this objection constantly. Good password managers encrypt your vault with your master password using strong cryptography. Even if their servers are breached, attackers get encrypted blobs they can't decrypt without your master password. This has actually happened — LastPass was breached in 2022 — and while the incident was handled poorly, users with strong master passwords were not directly compromised.
The risk of one encrypted vault potentially being exposed is vastly lower than the certainty that your reused password is in multiple breach databases right now.
Two-factor authentication (2FA) means that even if someone has your password, they can't log in without a second factor — something you have (a phone, a hardware key) in addition to something you know (your password).
Not all 2FA is equal:
Your phone receives a text message with a code. This is the most common type and the weakest. SIM swapping attacks — where an attacker convinces your carrier to transfer your number to their SIM — can bypass SMS 2FA. It's still better than no 2FA at all, but treat it as a minimum, not a goal.
Apps like Google Authenticator, Authy, or Microsoft Authenticator generate time-based one-time passwords (TOTP). These codes change every 30 seconds and are generated on your device. They can't be intercepted via SIM swap. This is what I recommend for most people on most services.
Setup is straightforward:
Physical devices like YubiKey that you plug into your computer or tap against your phone. These are phishing-resistant — even if you're tricked into entering your password on a fake site, the key won't authenticate because it validates the actual domain. This is the gold standard.
In order of priority:
Beyond manually checking, you can set up automatic monitoring:
Have I Been Pwned notifications: Free. Enter your email, get notified when it appears in a new breach. This is the minimum everyone should do.
Password manager monitoring: Most modern password managers (1Password Watchtower, Bitwarden Reports, Dashlane Dark Web Monitoring) cross-reference your saved credentials against breach databases. Since they know your actual passwords, they can tell you not just "your email was in a breach" but "this specific password was compromised."
Credit monitoring services: Equifax, Experian, and TransUnion all offer monitoring. You often get free monitoring as part of a breach settlement (the irony of Equifax offering credit monitoring after losing everyone's credit data is not lost on me).
Identity theft protection services: LifeLock, Identity Guard, Aura, etc. These combine credit monitoring, dark web scanning, and insurance against identity theft losses. Whether they're worth the subscription cost depends on your risk profile.
"We monitor the dark web for your personal information." Every identity protection service advertises this. But what does it actually mean?
The "dark web" in this context refers to underground forums, marketplaces, and paste sites where stolen data is traded. Monitoring services use a combination of automated crawling and human intelligence to detect when your data appears in these spaces.
Here's my honest assessment:
What it can do:
What it can't do:
Is it worth paying for? For most people, free monitoring through HIBP and your password manager provides 80% of the value. Paid dark web monitoring adds marginal benefit. The exception is if you're at elevated risk — a public figure, someone who's already been a victim of identity theft, or someone whose breached data included highly sensitive information like SSN or financial accounts.
The money you'd spend on dark web monitoring is almost certainly better spent on a good password manager and a hardware security key.
If you're responsible for a business and you discover a breach — or suspect one — the playbook is different:
The companies that handle breaches well — and there are a few — are the ones that communicate honestly, act quickly, and prioritize affected users over PR damage control.
There's a real phenomenon where people receive their fifth breach notification and just... delete it. I get it. When every other month brings news of another massive breach, it's tempting to throw your hands up and accept that privacy is dead.
This is dangerous for three reasons:
1. Cumulative exposure. Each breach by itself might seem minor — an email here, a name there. But attackers combine data from multiple breaches to build complete profiles. Your email from breach A, your password from breach B, your phone number from breach C, and your address from breach D gives them everything they need.
2. Fresh data matters. Older breaches get stale — you've hopefully changed passwords since then. But each new breach potentially exposes current credentials and data. Ignoring a notification because "I'm probably already breached" means ignoring the one that actually has your current password.
3. The attack surface grows. Every new service you sign up for is another potential breach point. The average person has 100+ online accounts. Each one is a bet that the service's security is adequate. Some of those bets will lose.
The antidote to breach fatigue isn't hyper-vigilance about every news headline. It's building a security posture that assumes breaches will happen and minimizes their impact:
When you have these in place, a breach notification becomes a minor inconvenience — change one password, check for unauthorized access, move on — instead of a crisis.
| Service | Cost | Breach Database | Real-Time Alerts | Password Check | Dark Web Scan |
|---|---|---|---|---|---|
| Have I Been Pwned | Free | 700+ breaches, 12B+ accounts | Yes (email) | Yes (Pwned Passwords) | No |
| Firefox Monitor | Free | Uses HIBP data | Yes (for Firefox users) | No | No |
| Google Password Checkup | Free | Google's database | Yes (Chrome users) | Yes | No |
| Apple Passwords | Free | Apple's database | Yes (Apple users) | Yes | No |
| 1Password Watchtower | $3-5/mo (with manager) | Uses HIBP + proprietary | Yes | Yes | Limited |
| Bitwarden Reports | Free tier available | Uses HIBP | Yes | Yes | Premium only |
| Identity Guard | $8-33/mo | Proprietary | Yes | No | Yes |
| Aura | $12-37/mo | Proprietary | Yes | No | Yes |
| LifeLock | $12-35/mo | Proprietary | Yes | No | Yes |
My recommendation: Start with Have I Been Pwned (free) and your browser's built-in password checker. If you use a password manager — and you should — enable its breach monitoring features. Only consider paid identity protection if you have elevated risk factors.
Beyond responding to past breaches, here's how to reduce your future exposure:
Minimize your data footprint. Every piece of information you give a service is data that can be breached. Use a throwaway email for low-stakes sign-ups. Don't provide optional information. Lie on security questions (and store the lies in your password manager).
Use email aliases. Services like SimpleLogin, AnonAddy, or the built-in aliasing in iCloud and Firefox Relay let you create unique email addresses for each service. When one gets breached, you know exactly which service leaked it, and you can disable just that alias.
Regular account cleanup. Delete accounts you no longer use. Every dormant account is a breach waiting to happen, with credentials you've probably forgotten about. Most services have account deletion options buried in settings. Use them.
Keep software updated. Many breaches exploit known vulnerabilities in outdated software. Keep your operating system, browser, and apps updated. Enable automatic updates where possible.
Be skeptical of breach notification emails. Ironically, phishing emails often impersonate breach notifications. "Your account has been compromised — click here to reset your password." Always go directly to the service's website instead of clicking links in emails.
Data breaches aren't going away. The sheer volume of data we entrust to online services, combined with the reality that security is hard and not every company prioritizes it, means that breaches will continue to happen. Your data will continue to be exposed.
The goal isn't to be breach-proof — that's not possible in 2026. The goal is to be breach-resilient. To build habits and use tools that make each individual breach a minor event rather than a catastrophe.
Check your email against known breaches today. Set up monitoring so you hear about future ones promptly. Use a password manager with unique passwords. Enable 2FA on everything important. And when the next breach notification arrives — because it will — you'll be ready to handle it in minutes instead of hours.
Your digital security isn't a single action. It's an ongoing practice. But it doesn't have to be a burden. The right tools — from breach checkers to password generators to hash verification utilities — make it manageable. The hardest part is starting. So start today. Check your email. You might be surprised — or maybe not surprised at all — by what you find.
Akousa