AshetraceGet assessment
A laptop on a desk showing a website search field, the moment someone checks whether their email turned up in a data breach.

Threat Intelligence

Have I Been Pwned says I was breached: what should I do?

If Have I Been Pwned says you were pwned, it means your email address turned up in a data breach or malware stealer log that the service has indexed, so at least some of your data is already public. It's a signal to act, not proof your account is currently hijacked. Start by checking what actually leaked, reset any reused password, then revoke live sessions, because a reset alone doesn't kill a stolen session. HIBP currently tracks more than 17.6 billion pwned accounts across 1,018 breached sites.

Key takeaways
  • HIBP indexes 17,685,309,968 pwned accounts across 1,018 breached websites, so an alert is common, not a rare emergency (Have I Been Pwned).
  • Check whether your password leaked, not just your email: a Cybernews study of 19 billion leaked passwords found only 6% were unique (Cybernews 2025).
  • Reuse is the real risk multiplier: 70% of users exposed in breaches reused compromised passwords across accounts (SpyCloud 2025).
  • A password reset does not end an attacker's active session; stolen session cookies stay valid until they expire or are revoked (Recorded Future).
  • If your address shows up in stealer logs, the problem is an infected device, not one site: a single 2025 HIBP load added 284 million unique emails from 23 billion rows (Troy Hunt).

What does it mean when Have I Been Pwned says you were 'pwned'?

It means your email address, and sometimes an associated password, appeared in a dataset from a known breach or malware log that Have I Been Pwned has loaded. The service currently tracks 17,685,309,968 pwned accounts across 1,018 breached websites (Have I Been Pwned). Being listed confirms your data is circulating, but it doesn't prove the account is compromised right now.

"Pwned" is old hacker slang for owned or taken over. HIBP is an index of breach and stealer-log data, built so anyone can check whether their address appears in an incident and see exactly which one (Have I Been Pwned FAQs). It's a lookup service, not an alarm that your bank is being drained.

So treat the alert as a starting point, not a verdict. One notification can mean anything from a leaked marketing email list to a full credential dump with your working password inside. The next few checks tell you which case you're in, and how urgently to move.

How do you find out exactly what data was exposed?

Have I Been Pwned indexes more than 17.6 billion breached accounts, each entry listing exactly what leaked (Have I Been Pwned). Open the specific breach HIBP names and read its data classes. Every breach entry spells out precisely what leaked, from email addresses and usernames to passwords, phone numbers and IP addresses (Have I Been Pwned FAQs). That list is the difference between a minor nuisance and an account you need to lock down tonight.

Sort what you find by sensitivity. An exposed email plus a marketing preference is low stakes. An exposed email plus a password, security question or session data is high stakes, because those can be replayed directly. If HIBP tags the source as a stealer log rather than a website breach, skip ahead: that points at an infected device, covered below.

17.6BPwned accounts indexed by Have I Been Pwned
1,018Breached websites loaded into HIBP
284MUnique emails in one 2025 stealer-log load (Troy Hunt)

Did your password actually leak, or just your email?

Troy Hunt's ALIEN TXTBASE load added 493 million email-and-website pairs from stealer logs, not just bare emails (Troy Hunt). This distinction sets your whole response. Many breaches expose only email addresses and profile fields; others expose passwords, sometimes hashed, sometimes in plaintext. To check a specific password safely, use HIBP's Pwned Passwords tool, which searches with k-anonymity so the full password never leaves your browser (Have I Been Pwned FAQs).

If a password of yours is in there, assume it's burned everywhere you used it. A Cybernews analysis of more than 19 billion leaked passwords found just 6% were unique, meaning 94% were reused or duplicated (Cybernews 2025). Attackers count on that overlap.

How many leaked passwords are actually unique
94% reused Reused or duplicated passwords 94% of 19 billion analyzed Unique passwords just 6%
Of 19 billion passwords leaked in 2024 to 2025, only 6% were unique. Source: Cybernews 2025.

Does it matter if the breach is old?

About 70% of exposed users reused a previously compromised password, so old data still opens new doors (SpyCloud). It matters less than people hope. A breach dated years ago means the data has circulated longer, so the odds it's already been tried against your accounts are higher, not lower. Many entries in HIBP go back well over a decade, and the passwords inside stay dangerous as long as you keep reusing them (Have I Been Pwned FAQs).

The age of the breach is almost irrelevant next to your own reuse. SpyCloud found 70% of users exposed in breaches reused compromised passwords across multiple accounts (SpyCloud 2025). If you never changed a leaked password and used it elsewhere, a 2016 breach is a live 2026 problem.

Should you change your password on other sites too?

Yes, anywhere you reused the leaked password. Attackers automate credential stuffing, replaying one leaked email and password pair against dozens of services until something opens. With 94% of leaked passwords reused (Cybernews 2025), the one you just found on HIBP is probably the key to more than the account that leaked it.

Password reuse across three 2025 studies
Leaked passwords that were reused (Cybernews) 94% Users who reuse across more than one site (Bitwarden) 84% Breach-exposed users who reused a compromised password (SpyCloud) 70%
Independent 2025 studies converge on the same problem: most people reuse passwords. Sources: Cybernews, Bitwarden, SpyCloud.

The fix is boring and effective: give every account its own long, random password from a manager, and turn on multi-factor authentication where it's offered. Bitwarden's 2025 survey found 84% of people reuse a password across more than one site, so unique passwords alone put you ahead of most users (Bitwarden 2025).

Why doesn't changing your password end an active session?

SpyCloud recaptured about 17 billion stolen cookies in 2024, each usable after a password change (SpyCloud). Because a session cookie is a separate credential with its own lifetime. When you sign in, the server hands your browser a token that says this session is already authenticated. Replaying that token skips both the password and the MFA prompt, so a reset leaves it working. Recorded Future documents this session-hijacking bypass in detail (Recorded Future).

17BMalware-stolen cookies recaptured in 2024 (SpyCloud)
1,861Cookies harvested per infostealer infection, on average (SpyCloud)
44Credentials harvested per infection, on average (SpyCloud)

So after you reset, take the second step most people skip: sign out of all sessions. Most major services offer a "log out everywhere" or "active sessions" control that revokes existing tokens. SpyCloud recaptured roughly 17 billion malware-stolen cookies in 2024 (SpyCloud 2025), each one a way back in that a new password never touches.

When should you investigate your device, not just one account?

When HIBP flags your address in a stealer log rather than a single site breach. A stealer log is the output of malware on a device, so the exposure isn't one leaked website, it's every password and cookie saved on that machine. One 2025 HIBP load processed 23 billion rows of stealer-log data covering 284 million unique email addresses and 493 million email-and-website pairs (Troy Hunt 2025).

Why a stealer log means the device, not one site
01 One infected device 02 One stealer log 03 Every saved login and cookie leaks

For an individual, that means running a full malware scan, rebuilding if needed, and rotating every credential the device touched. For a company, one infected employee or contractor device can leak dozens of corporate logins at once. That post-compromise exposure is what Ashetrace is built for: verify a domain you control and map which identities appear in stealer logs, without handing over any passwords, cookies or tokens.

What's the right order of steps after a pwned alert?

Work from the most direct exposure outward. Because stolen credentials are the top initial-access action in 22% of breaches (Verizon 2025 DBIR), the goal is to close every replayable secret before someone else uses it:

  • Read the breach entry HIBP names and note the exact data classes exposed.
  • Change the password on the breached account, then on every other site where you reused it.
  • Turn on multi-factor authentication anywhere it's offered.
  • Revoke active sessions with "log out everywhere" so stolen cookies stop working.
  • If the source is a stealer log, scan and clean the device, then rotate every credential it stored.
  • Switch to a password manager so every account gets its own unique password going forward.

None of this requires paying anyone or panicking. It requires order. Detection tools like Have I Been Pwned tell you the exposure exists; a calm, sequenced response is what actually closes it before a reused password or a live session turns one alert into a real account takeover.

Frequently asked

What does it mean when Have I Been Pwned says I was pwned?

It means your email address, and sometimes a password, appeared in a breach or malware stealer log that HIBP has indexed. It confirms your data is circulating, not that your account is actively hijacked. HIBP tracks over 17.6 billion pwned accounts across 1,018 breached websites (Have I Been Pwned).

Was my password leaked, or just my email?

Check the specific breach entry, which lists the exact data classes exposed, then test a password with HIBP's Pwned Passwords tool, which uses k-anonymity so the full password never leaves your browser. Assume reuse is dangerous: a Cybernews study of 19 billion passwords found only 6% were unique (Cybernews 2025).

Do I need to change passwords on other sites too?

Yes, anywhere you reused the leaked password, because attackers automate credential stuffing across services. SpyCloud found 70% of breach-exposed users reused compromised passwords, and Cybernews found 94% of leaked passwords were reused or duplicated (SpyCloud 2025, Cybernews 2025). Give each account a unique password.

Does it matter if the breach is old?

Not much. Older data has circulated longer, so it may already have been tried against your accounts. What matters is reuse: a password from a decade-old breach stays dangerous while you keep using it. SpyCloud found 70% of exposed users reused compromised passwords (SpyCloud 2025).

Why isn't changing my password enough after a breach?

A reset invalidates the password, but a stolen session cookie is a separate credential that stays valid until it expires or is revoked, letting attackers skip login and MFA. SpyCloud recaptured about 17 billion malware-stolen cookies in 2024, so revoke active sessions too (SpyCloud 2025, Recorded Future).

Sources
  1. Have I Been Pwned, Have I Been Pwned homepage (live pwned account count) (2026)
  2. Have I Been Pwned, Frequently Asked Questions (2026)
  3. Troy Hunt, Processing 23 Billion Rows of ALIEN TXTBASE Stealer Logs (2025)
  4. SpyCloud, 2025 Annual Identity Exposure Report (2025)
  5. Cybernews, 19 billion passwords leaked, 94% reused or weak, study reveals (2025)
  6. Bitwarden, World Password Day Global Survey 2025 (2025)
  7. Recorded Future, Session Hijacking and MFA Bypass
  8. Verizon, 2025 Data Breach Investigations Report (DBIR) (2025)
Share

Start here

See what is still exposed in your environment

Verify a corporate domain and get a scoped exposure assessment. No passwords, cookies or tokens handed over.

Request an exposure assessment