One-minute checks can reveal breaches you never heard

A data breach checker can scan breach databases, dark web sources, and infostealer malware logs to tell you whether your email address, password, phone number, or Social Security number appeared in known exposure events—often long before official notifications

For most people, a data breach only becomes “real” when an alert finally lands in their inbox. But the clock on harm doesn’t start with the notification. It starts when stolen data shows up—then spreads—across criminal markets.

That’s why a growing number of people are turning to data breach checkers. tools that can run a lookup in under a minute and return whether your personal information was exposed in a known breach. Instead of waiting to be contacted. they check whether your identifiers—like your email address. password. phone number. or Social Security number—appear in breach records collected from multiple places.

The core pitch is simple: a check can reveal exposure events you were never notified about.

A breach checker is a lookup tool. You enter one or more personal identifiers—typically an email address. phone number. or username—and the tool cross-references them against a database of known breach records to determine whether your identifier appeared in a breach dataset. When there’s a match. the tool can report where the exposure originated. when it occurred. and what categories of data were bundled alongside your identifier.

This idea became widely known after the 2013 Adobe breach. when security researcher Troy Hunt launched Have I Been Pwned as a free service so people could check whether their email addresses appeared in that dataset. Since then, the category has expanded: modern breach checkers don’t only scan historical databases. Many also monitor live dark web markets. paste sites. criminal forums. and infostealer malware logs—sources that can capture exposure events in real time. often before they’re formally catalogued or publicly reported.

Most checkers work using a matching model. You provide an identifier. the tool hashes your email address. compares it against breach databases of known breach records. and returns matches. The quality of what you get depends on how many sources the tool monitors. A checker built on a single breach database will only surface exposures that appeared in that one dataset. A checker that monitors multiple sources—dark web markets, paste sites, and malware logs simultaneously—will often surface more.

Behind the scenes, the data comes from different kinds of exposure. Some comes from publicly disclosed breaches and indexed datasets made searchable by security researchers. Some comes from dark web intelligence, where automated crawlers monitor criminal forums and marketplaces for newly posted breach data. Some comes from infostealer logs and credential files harvested by malware from infected devices and uploaded to criminal networks. Each source type captures different exposure patterns. which is exactly why the best checkers combine them rather than relying on only one.

A breach checker can tell you whether your email address. password. phone number. username. or another identifier appeared in a breach dataset indexed by the tool’s data sources. It can often identify which breach it came from. approximately when it occurred. and what other information was included with your identifier.

But it cannot guarantee safety.

There’s a built-in gap between the time a breach occurs. when stolen data surfaces on criminal markets. and when monitoring services index that data. A result showing no known exposure today can look different tomorrow if a new breach dataset is published or newly indexed. That’s the argument for continuous monitoring rather than one-time checks.

If you haven’t received a formal alert, you’re not alone in assuming you’re in the clear. The catch is that breach notification letters tend to lag.

Under most US state laws. companies have 30 to 90 days to notify affected individuals after discovering a breach. and that clock starts from discovery—not from when the breach actually occurred. The time between a breach and its discovery is often measured in months. By the time a formal notification arrives, the data has typically been circulating in criminal markets for weeks or longer.

Many breaches also never get formally disclosed. Data brokers, smaller companies, and organizations operating under weak disclosure requirements may fail to notify affected individuals. In that situation. the only way to know whether your data is in circulation is to check the sources that monitor the markets where data is traded.

So what does “checking” look like in practice?

Most people start with email, because email addresses are among the most commonly exposed identifiers in breach databases and they’re the primary login credential for most online accounts. Checking an email address should be the first step in any breach check.

DeXpose’s Email Data Breach Scan is one example described as scanning breach databases, dark web sources, and infostealer logs. The result is meant to show breaches where your email appeared, the data categories included alongside it, and whether the exposure is recent or historical.

If your email appears in a breach that also included your password, the guidance is direct: treat every account where you used that password—or any variation of it—as compromised until you change it.

For a broader look across a workplace, the same material points to DeXpose’s free dark web report, described as extending the scan across an entire organization’s domain to show how many email addresses from that domain have been exposed across known breaches and dark web sources.

Phone number checks can be trickier. Phone numbers are less consistently stored in breach databases than email addresses. Still, they show up frequently in large aggregated datasets—especially those tied to telecom breaches, social media breaches, and data broker leaks.

The material points to the 2021 Facebook breach as an example where 533 million records included phone numbers as a primary data field, and where those records have since circulated widely in criminal networks.

Have I Been Pwned added phone number search functionality in 2021. You can enter a phone number in international format and check it against datasets where phone numbers are indexed. For more comprehensive coverage—including dark web market listings and infostealer logs where phone numbers appear—a dedicated dark web monitoring tool is described as surfacing exposures that standard breach databases don’t.

Social Security number checks are presented as the most sensitive and therefore handled differently.

Responsible breach checkers do not store full Social Security numbers in searchable databases. because doing so would create the very exposure the tool is meant to detect. Instead. SSN breach checks work by referencing whether a breach dataset is known to have included SSNs as a data field. and then checking whether your other identifiers—name. date of birth. and address—appeared in that dataset.

Pentester’s National Public Data breach checker is referenced as becoming widely referenced in 2024 after the NPD breach. which allegedly exposed up to 2.9 billion records including SSNs. The tool allows you to search by name. state. and date of birth to see whether your information appears in the NPD dataset. It is described as free to use and as not requiring submission of your SSN.

For ongoing protection. the approach suggested is a combination: a credit freeze with all three bureaus to prevent new accounts from being opened in your name regardless of who has your SSN. plus enrollment in the IRS Identity Protection PIN program to prevent fraudulent tax returns from being filed under your number.

On iPhone, the guidance shifts to built-in password protection. For iPhone users running iOS 14 or later. there’s a built-in password monitoring feature called Security Recommendations. accessible through Settings → Passwords. It automatically checks saved passwords against known breach databases and alerts you when a password is found in one. It also identifies reused and weak passwords.

For more comprehensive coverage. iOS 16 is described as adding an upgraded feature within Settings → Passwords that flags compromised passwords from a broader database. To run this check, go to Settings → Passwords → Security Recommendations. Any passwords flagged as compromised should be changed immediately on the affected accounts. along with any other accounts that use the same password.

But the iPhone’s built-in feature checks passwords, not email addresses or phone numbers. For a full check covering all identifiers and including dark web sources, you need a dedicated breach checking service.

Checking the dark web is also described as something different from normal web search. Standard search engines like Google do not index content on the dark web. What people describe as “checking the dark web” is typically running your identifiers through a monitoring service that checks dark web markets. forums. and databases on your behalf.

DeXpose’s free dark web report is described as covering dark web markets, malware logs, and public breach databases simultaneously. It returns results with source-level specificity, including where data was found and what categories of information were involved.

That distinction matters because the response can’t be identical. Credentials appearing in a fresh infostealer log require a different priority than an email address appearing in a 2018 breach dataset.

Free tools vary widely in what they monitor, how current their data is, and how much context they provide alongside a match.

DeXpose’s email data breach scan is described as cross-referencing your email address against breach databases. infostealer malware logs. and dark web sources in a single query. including a category of exposure older lookup tools were not designed to detect. The result includes breach sources where your email appeared. the data categories bundled with it. and whether the exposure includes password data that requires immediate action. For organizations, the scan can run across a company domain to assess how many employee credentials are currently in circulation.

Have I Been Pwned is described as maintained by security researcher Troy Hunt and operated in partnership with the FBI. and as the most widely referenced free breach-checker for email addresses. It maintains a database of billions of records from hundreds of disclosed breaches and allows anyone to check an email address for free. It also allows phone number checks as of 2021. The limitation described is that it indexes breaches after they’re publicly disclosed and catalogued. so it can lag live dark web activity by weeks or months.

Firefox Monitor. now rebranded as Mozilla Monitor. is described as using HIBP’s breach database as its underlying data source and adding an interface where users can set up email alerts when new breaches containing their address are added to the database. Mozilla Monitor Plus is described as adding identity protection features and the ability to submit removal requests to data brokers. Because Mozilla Monitor uses HIBP’s data, the coverage is described as the same as running a direct HIBP check. The added value is alert infrastructure.

Google One’s dark web report is described as available to Google One subscribers in supported countries. It monitors your email address and other personal identifiers—name. date of birth. phone number. physical address—against dark web sources and alerts you when any appear in a detected exposure. The feature is described as built into the Google account interface and accessible through the Google One app. The limitation described is that the monitored identifiers are limited to those provided in a Google account profile and the coverage lacks the source-level specificity or malware log coverage dedicated tools offer.

Credit-focused tools are also covered. Experian’s free IdentityWorks tier and Credit Karma’s identity monitoring feature are described as offering breach alert functionality as part of broader credit monitoring services. primarily monitoring your email address against breach databases and alerting you when a match is found. The limitation described is that these tools don’t comprehensively monitor dark web sources and their breach data tends to come from publicly catalogued sources similar to those covered by HIBP.

There’s also Dehashed, 1Password Watchtower, and Bitwarden. Dehashed is described as a paid breach search tool used primarily by security professionals and researchers. It allows searches by email. username. IP address. name. and password hash. providing significantly more detailed results than consumer-facing tools. including raw password data in some records. 1Password Watchtower is described as integrating HIBP’s breach database directly into the password manager. automatically flagging saved passwords that have appeared in known breaches and prompting changes. Bitwarden’s Vault Health Reports feature is described as offering similar functionality. Both are described as checking passwords against breach databases rather than monitoring identifiers across live dark web sources.

Some breaches are so high-profile that people are given specific steps for checking whether they were affected.

AT&T is one example. The material says AT&T disclosed two significant data breach events in 2024. The first. disclosed in March 2024. involved a dataset of approximately 73 million current and former AT&T customer records that included names. addresses. phone numbers. dates of birth. and Social Security numbers published online. The second. disclosed in July 2024. involved call and text records for nearly all AT&T wireless customers from mid-2022 through early 2023.

To check eligibility for AT&T’s settlement or to confirm whether data was included. the guidance is to go to AT&T’s official data breach settlement page or check the settlement administrator’s site directly. The material adds that AT&T sent direct notification emails to affected customers from the March breach. It also notes that if a person was an AT&T customer during 2022–2023. their call metadata was almost certainly included in the second breach regardless of whether a notification was received.

For both breaches, the immediate action described is to change an AT&T account password and PIN, enable two-factor authentication on the AT&T account, and run an email or phone number check through a breach checker to confirm what additional data may have been bundled.

For the National Public Data breach. the material describes it as one of the largest in recorded history by number of records. The breach became publicly known in mid-2024 and reportedly exposed nearly 2.9 billion records including names. addresses. dates of birth. phone numbers. and Social Security numbers aggregated from public records by data broker National Public Data.

Pentester.com is referenced as building a free NPD-specific checker at npd.pentester.com that allows searching by first name. last name. state. and date of birth to see whether information appears in the dataset. It is described as not requiring submission of an SSN and as showing what information from the breach matches the search query. Because NPD aggregated data from public records. the material says virtually any US adult with a public records footprint may appear regardless of whether they were ever a customer.

TransUnion is also mentioned. with the material describing a dedicated breach response page where people can verify their status and enroll in complimentary credit monitoring if data was confirmed to have been exposed. It notes that because TransUnion holds credit file data. an exposure event involving TransUnion records may include credit account history. personal identifiers. and credit score information. The most important immediate action described is placing a credit freeze with all three bureaus including TransUnion if there’s reason to believe a TransUnion record was involved.

Experian’s approach is described as visiting Experian’s dedicated breach response page or calling Experian’s fraud line. It notes that Experian typically provides a dedicated eligibility verification tool for large-scale events. allowing affected individuals to check status by name. address. and date of birth. It says if a person was notified. Experian offers complimentary credit monitoring through its IdentityWorks product. and that enrollment does not prevent new fraudulent accounts from being opened—only a credit freeze does—so monitoring should be treated as a supplement. not a substitute. for a credit freeze if SSN or financial data was involved.

Oracle is included through an alleged Oracle Cloud breach that became public in early 2025. The material says DeXpose built a dedicated Oracle breach checker allowing organizations to search their company name against the alleged breach dataset to determine whether the company was mentioned. It is described as free and as not requiring an account.

A long list of other named breaches appears too: T-Mobile, Xfinity, Discord, Yahoo, and others.

For T-Mobile, the material says it experienced multiple breaches, including a 2021 incident affecting approximately 77 million records and a 2023 incident. It says T-Mobile provides a breach response portal where current and former customers can verify whether accounts were affected and enroll in available remediation.

For Xfinity / Comcast, the material says the 2023 Xfinity breach, resulting from the CitrixBleed vulnerability, affected approximately 36 million customers. It says Xfinity notified affected customers by email and provided password reset guidance. and that if an Xfinity customer did not receive notification. they should check their registered email address through a breach checker. since notification rate was not universal.

For Discord. the material says Discord has been involved in several breach events. most notably through third-party bot services that had access to Discord user data. It suggests checking the Discord-registered email address through HIBP or a dedicated checker to see whether it appeared in any Discord-associated breach dataset.

For Yahoo. the material says Yahoo’s two major breach events—2013 affecting 3 billion accounts and 2014 affecting 500 million accounts—remain among the largest in history. It advises that if someone has ever had a Yahoo account. they should assume their email address and password associated with it at the time are in circulation. Any site where a person used that Yahoo password or a variation should be treated as potentially compromised.

The article then pivots to what to do after you get a result.

Finding your data in a breach check is described not as the end, but the beginning of a time-sensitive response window. The speed with which you act after discovery is presented as determining how much damage the exposure can cause.

The first step is to identify exactly what was exposed. The result needs to be read carefully: which data categories were included alongside an email address or identifier can change the threat level. A breach that exposed only an email address and a hashed password is different from one that exposed an email address. a plaintext password. date of birth. and phone number.

The next step described is to change the password on the breached account immediately, and then change it on every other account where the same password—or a recognizable variation—was used. If checking every account feels overwhelming, the material recommends setting up a password manager.

It also advises enabling multi-factor authentication on the breached account and, if not already active, on the primary email account. Because the email account is described as the recovery path for almost every other account. securing it is presented as the single highest-leverage action right after a breach discovery.

If financial data, SSN, or any government-issued ID number was included in the breach, the guidance is to contact banks and card issuers immediately, place a credit freeze with all three bureaus, and begin monitoring credit reports for any accounts not recognized.

On ongoing exposure, the material draws a hard line between a one-time breach check and continuous monitoring. A one-time check tells you where you stood at the moment you ran it. with no guarantee it will reflect what gets posted later. It frames continuous monitoring as the difference between acting in time and discovering exposure after the damage has already been done.

DeXpose’s dark web monitoring is described as running continuously across dark web markets. criminal forums. paste sites. and breach databases. and alerting when data surfaces in any new exposure event. For individuals. it’s described as returning alerts within hours of newly posted credentials appearing on a dark web market. instead of waiting for a notification letter weeks later. For organizations. it’s described as providing real-time visibility into employee credential exposure. customer data listings. and organizational data circulating in criminal networks.

The practical argument is made plainly: the value of breach intelligence is almost entirely a function of how quickly you receive it. An alert that reaches someone the same day credentials appear gives a realistic window to change the password before an attacker uses it. An alert three months later is described as arriving after the window has closed.

After all that, there’s the prevention checklist—built around blocking the most common routes stolen data turns into identity theft.

The most effective single action is presented as a credit freeze. It’s described as free, as not affecting credit score, and as preventing anyone from opening new credit accounts in a person’s name regardless of what information they have about them.

The second pillar described is password uniqueness to stop credential stuffing. the process where attackers take credentials from one breach and test them systematically against other services. The explanation ties directly to reuse: the attack works because most people reuse passwords. A password manager is suggested as a practical tool for maintaining unique passwords.

Multi-factor authentication is described again as closing the most common follow-on attack vector, particularly on email, financial, and government accounts.

Finally, continuous dark web monitoring is positioned as the backstop: if data surfaces somewhere new, you find out immediately rather than through a fraud alert months later.

If there’s one theme running through all of it, it’s this: the time between exposure and action matters. The tools described here don’t just answer a question. They compress the window you have to respond.

Immediate steps can start with as little as entering an email address into a breach checker and treating what comes back as a prompt to act—especially when the result suggests passwords, phone numbers, or Social Security-linked identifiers are part of the dataset.

data breach checker breach database dark web monitoring infostealer logs Have I Been Pwned Troy Hunt Mozilla Monitor Security Recommendations iOS 14 NPD breach checker Social Security number protection