What is HaveIBeenPwned?

HaveIBeenPwned (HIBP) is a free online service that allows users to check if their personal data, such as email addresses, phone numbers, or passwords, has been compromised in publicly disclosed data breaches.

How does HIBP get its data?

HIBP aggregates data from thousands of publicly disclosed data breaches. This data is meticulously verified by security researchers before being added to the HIBP database, ensuring accuracy.

Is using the HIBP API secure for checking passwords?

Yes, the HIBP Pwned Passwords API uses a k-anonymity model. This means only the first five characters of a password's SHA-1 hash are sent, preventing the full password hash from being transmitted or exposed.

Can I use HIBP for my business or application?

Yes, HIBP offers paid tiers for organizations and commercial use, providing higher rate limits and allowing integration into commercial applications to enhance security features like password validation and breach monitoring.

What is the difference between the Breach API and Pwned Passwords API?

The Breach API allows you to check if an email address or domain has appeared in known data breaches. The Pwned Passwords API specifically checks if a given password has been found in any public breaches, using a privacy-preserving method.

Does HIBP store my passwords?

No, HIBP does not store full passwords. When you check a password via its API, only a partial hash is transmitted for comparison, ensuring your full password remains private.

How often is the HIBP database updated?

The HIBP database is updated continually as new data breaches are discovered and verified. This ensures the service provides current information on compromised data.

HaveIBeenPwned — Check Data Breaches & Password Security

Overview

HaveIBeenPwned (HIBP) provides a public resource and API for identifying whether email addresses, usernames, and passwords have been compromised in data breaches. Established in 2013 by security researcher Troy Hunt, HIBP aggregates data from numerous breaches, making it searchable by the public and integratable into applications via its API. The service primarily addresses the pervasive issue of credential theft and reuse, which can lead to account takeovers and further security incidents across various online platforms.

The HIBP API is designed for both individual users and organizations. Individuals can use the web interface to check their own email addresses or specific passwords. Organizations, developers, and security professionals can integrate the API into their systems to perform bulk checks, monitor user accounts for compromises, or validate password strength against known breached passwords. This integration helps enforce stronger security policies and proactively alert users to potential risks.

HIBP offers two primary API functionalities: the Breach API and the Pwned Passwords API. The Breach API allows developers to query all known data breaches involving a specific email address or domain. This can reveal which services a user's data might have been exposed through, including the types of data compromised (e.g., names, email addresses, passwords, phone numbers). The Pwned Passwords API enables checking if a password has appeared in any known data breach. Critically, this API employs a k-anonymity model, which allows for secure password checks without transmitting the full password to the HIBP service, thereby protecting user privacy.

The service is particularly valuable for applications requiring user authentication, such as identity providers, password managers, and enterprise security platforms. By integrating HIBP, these systems can prevent users from setting passwords that are already compromised or alert them if their existing credentials appear in a new breach. This proactive approach to security helps reduce the attack surface for common threats like credential stuffing. For example, a service like Experian IdentityWorks might use similar data sources to provide dark web monitoring services to its users, demonstrating the broader industry need for such breach intelligence.

HIBP's operational model emphasizes transparency and data integrity. Breach data is meticulously verified before being added to the database, ensuring that the information provided is accurate and actionable. The service is supported by donations and sponsored by Cloudflare, ensuring its continued availability as a public good for internet security. Developers note the API's straightforward nature and comprehensive documentation, facilitating easier integration into diverse applications and security workflows.

Key features

Breach API: Allows querying for all data breaches an email address or domain has been involved in, providing details about the compromised services and data types.
Pwned Passwords API: Enables checking if a specific password has been exposed in any known data breach using a k-anonymity protocol to protect user privacy.
Domain Search: Organizations can search for all pwned accounts on their own domains to identify compromised employee credentials.
Notification Service: Users can subscribe to receive email notifications if their email address appears in a newly discovered data breach.
Data Aggregation: Consolidates records from thousands of publicly disclosed data breaches, providing a centralized and updated database.
K-Anonymity for Passwords: Implements a privacy-preserving method for checking passwords, where only the first 5 characters of a password hash are sent to the API.

Pricing

HaveIBeenPwned offers a free tier for personal and non-commercial use, with paid tiers available for organizational and commercial applications based on request volume and additional features. Pricing details are subject to change; refer to the official HIBP pricing page for the most current information.

Tier	Monthly Requests (Approx.)	Features	Price (Approx. as of 2026-05-28)
Personal/Non-commercial	Up to 2,500	Breach API, Pwned Passwords API, email notifications	Free
HIBP for Organizations (Small)	25,000	All free features, higher rate limits, commercial use	~£30/month
HIBP for Organizations (Medium)	100,000	All features, higher rate limits, commercial use	~£100/month
HIBP for Organizations (Large)	500,000+	All features, custom rate limits, dedicated support	Custom pricing

Common integrations

Identity and Access Management (IAM) Systems: Integrate HIBP to prevent users from setting compromised passwords during registration or password resets.
Password Managers: Many password managers incorporate HIBP's Pwned Passwords API to alert users if their stored passwords have been compromised.
Security Information and Event Management (SIEM) Systems: Feed HIBP data into SIEMs to correlate with other security events and identify at-risk users.
Customer Relationship Management (CRM) Platforms: Monitor customer email addresses for breaches to proactively inform them of potential compromises.
Endpoint Detection and Response (EDR) Solutions: Use HIBP data to assess the risk associated with user accounts on monitored endpoints.
Custom Applications: Developers integrate HIBP into bespoke applications to add a layer of breach detection and password security.

Alternatives

SpyCloud: Offers breach data recovery and account takeover prevention for enterprises.
Dark Web ID (IdentityForce): Provides dark web monitoring for personal and business credentials.
Experian IdentityWorks: Consumer identity theft protection service that includes dark web surveillance.

Getting started

To use the HaveIBeenPwned API, you'll typically need an API key for organizational use. For the Pwned Passwords API, you can make unauthenticated requests using the k-anonymity protocol. Here's an example using Python to check if a password has been pwned:

import hashlib
import requests

def check_pwned_password(password):
    sha1_password = hashlib.sha1(password.encode('utf-8')).hexdigest().upper()
    prefix = sha1_password[:5]
    suffix = sha1_password[5:]

    url = f"https://api.pwnedpasswords.com/range/{prefix}"
    response = requests.get(url)

    if response.status_code == 200:
        hashes = response.text.splitlines()
        for h in hashes:
            # Split into hash suffix and count, e.g., "00A3C57B77A9778F366E3A334E2:12345"
            parts = h.split(':')
            if len(parts) == 2:
                found_suffix = parts[0]
                count = int(parts[1])
                if found_suffix == suffix:
                    print(f"Password found {count} times in breaches. Change it immediately!")
                    return True
        print("Good news - that password was not found in any breaches we know of!")
        return False
    else:
        print(f"Error checking password: {response.status_code}")
        return None

# Example usage:
check_pwned_password("password123")
check_pwned_password("MyStrongPassword123!")

This Python example demonstrates how to use the Pwned Passwords API to check a password. It generates the SHA-1 hash of the password, takes the first 5 characters as a prefix, and sends it to the API. The API returns a list of matching hash suffixes and their counts. The local code then checks if the full suffix matches, confirming if the password has been compromised without sending the full hash over the network.

HaveIBeenPwned

Overview

Key features

Pricing

Common integrations

Alternatives

Getting started

# frequently asked questions

## reviews

## comments

Overview

Key features

Pricing

Common integrations

Alternatives

Getting started

# frequently asked questions

# see also

## reviews

## comments