Check if your email has been exposed in data breaches. See which breaches, when they happened, and what data leaked — with severity ratings per breach.
📧
🔒 Your email is sent to the XposedOrNot breach API over HTTPS. Nothing is stored on our server — no logs, no accounts.
How the Email Breach Checker Works
📧
Enter Email
Type your email address in the search field above
🔍
Database Scan
We check known breach databases and credential dumps
📊
Get Results
See which breaches exposed your data and the severity
🛡️
Take Action
Follow our security steps to lock down your accounts
What this tool does
The Email Breach Checker tells you whether a specific email address has appeared in any publicly disclosed data breach. Type the email, wait a couple of seconds, and you'll see a complete list of breaches that contain it — with the breach name, the disclosure date, the number of records exposed, and what kinds of data leaked (emails only, or emails plus passwords, or emails plus passwords plus payment cards, or worse). The check is free, requires no account, and works for any email address you can type. It's the simplest way to baseline your exposure before making any other security decisions.
What is different about this tool: you get per-breach severity scoring and exposed-data breakdown, not just a count. Most free checkers (including haveibeenpwned.com) show a flat list of breach names. This tool colour-codes each breach by magnitude — critical, high, medium, low — based on the number of records exposed, and tags each with the specific data categories leaked. That tells you at a glance which breaches to act on first. The tool uses the XposedOrNot API as its data source — a free breach-lookup service indexing around 6 billion exposed records. Be honest about the trade-off: unlike our Password Breach Checker which uses k-anonymity, this tool does send the email to the API. If you want maximum coverage, also check at HIBP directly — the two corpora don't fully overlap.
How it works under the hood
When you submit an email, the tool makes two HTTPS calls to the XposedOrNot API: first to /v1/check-email to get the list of breach names that contain your email, then to /v1/breach-analytics to get per-breach details (disclosure date, record count, exposed data categories). Both requests happen in under a second. The results are rendered immediately with an animated card reveal — most severe breaches first.
What the API sees. Your email address, your IP, standard request headers. XposedOrNot's privacy policy states emails are not logged for individual lookup queries. If that claim concerns you, the safest option is to trust no lookup service and check manually via HIBP's k-anonymity email search (which uses hashed prefix matching similar to what our Password Breach Checker does).
What our server sees. We proxy nothing — the request goes directly from your browser to XposedOrNot. We do maintain an IP-bound rate-limit counter (30 checks per IP per hour), which expires one hour after the last request. Nothing else about your email, your lookups, or your results is logged or retained.
Severity scoring. We classify each breach by exposed-record count: over 50 million records is Critical, 5-50M is High, 500k-5M is Medium, under 500k is Low. This is a rough proxy for impact — record count correlates with how widely your data has been traded — but the data-category field (passwords, payment cards, social security numbers) matters more for what to actually do. The UI shows both.
Rate limit rationale. 30 checks per IP per hour is generous for personal auditing and tight enough to discourage automated enumeration. Real attackers don't use this tool for email enumeration — they have their own corpora. The rate limit is there to keep the free tool usable for everyone, not to defeat determined adversaries.
Data refresh. The XposedOrNot corpus updates continuously as new breaches become public. Results you see are live — we don't cache lookup responses. If the API is rate-limiting or down, you'll get an error rather than a stale cached result, because a stale "no breaches found" would be a dangerous false negative.
Five real-world use cases
Check your personal email after a news-cycle breach
A major service just announced a breach — LinkedIn, Dropbox, some payment processor, one of the big social networks. You can't remember if you had an account there five years ago, but you're worried the email you use for everything might be affected. Paste it here. In seconds you'll see every breach that email has appeared in, when each one happened, and what data was exposed (emails only, or emails + passwords, or emails + passwords + payment cards, or worse). The breach from the news will usually be there, along with others you'd forgotten about.
yourname@gmail.com
Audit an old email address you want to retire
You've got an email address from 2010 you used for forum signups and free trials for a decade. You're considering deleting it. Before you do, check it here — the results will show you every breach that address was involved in, and probably explain why your spam folder fills up every week. It's also a useful self-audit if you're planning to move every account to a password manager and a fresh primary email. Retire the old address; forward mail for six months; cancel everything that still lands there.
oldname@yahoo.com
Verify a work email\u2019s exposure before a security review
You're the IT person at a small company and you've been asked to audit the team's credential exposure. Run each employee's work email through the tool (with permission) and collate the results. Breach dates reveal when exposure happened; exposed-data fields tell you whether just emails leaked or whether hashed passwords went with them. For emails showing 3+ breaches, force a password reset and require a password manager for the rotation. This is the quickest way to baseline team exposure without deploying a paid identity-monitoring product.
Investigate a suspected phishing target during incident response
An employee reports a targeted phishing email that references accurate personal details — their real name, a service they use, something specific. Before assuming a new breach, check their email here. Often the attacker is using leaked data from an old breach the target forgot about, not a novel compromise. Knowing the source breach lets you tell the employee exactly which password to rotate and what other data the attacker likely has. This saves hours of panicked investigation.
Pre-onboarding due diligence for a new vendor or contractor
You're about to give a vendor access to internal systems using a specific email address they've supplied. Run that email through the tool first. If it's in 10+ breaches including ones where passwords were exposed, their credentials are almost certainly reused somewhere compromised — push back and require them to use a fresh email plus a password manager for the integration. It's an awkward but appropriate conversation, and the tool gives you objective data to point to rather than 'I have a feeling.'
Common mistakes & edge cases
I got 'no breaches found' — does that mean my email is safe?
No. It means your email isn't in any publicly disclosed breach indexed by XposedOrNot. Many breaches stay private — sold on dark web markets, traded between groups, or never disclosed. 'Not found' is a clean bill of *public* health, not of overall exposure. Re-check every 3 months; new breaches get added continuously.
My email is in a breach but I never used that service
Two possibilities. One: someone signed up using your email (common with weak-signup-flow sites that don't verify email ownership). Two: a service you forgot about merged with, or sold data to, the service in the breach — your account moved without you noticing. Either way, the email is in the attacker's wordlist now. Change the password on any account sharing that email, even if you never used the breached service.
Different tools show different breach counts for the same email
Different services (XposedOrNot, HIBP, DeHashed, SpyCloud) index different breach corpora. HIBP is larger overall but XposedOrNot includes some breaches HIBP doesn't and vice versa. If getting complete coverage matters (incident response, vendor vetting), run the email through all three free services — their results together are more complete than any one alone.
The breach date seems wrong — it\u2019s years after I used the service
The date XposedOrNot reports is when the breach was *publicly disclosed*, not when the compromise actually happened. Many breaches are discovered and disclosed years after the original intrusion. If the data in the breach looks like it predates the disclosure date by a lot (old phone numbers, old usernames), the actual compromise was probably much earlier.
A breach listed here doesn\u2019t appear in HIBP
That's normal and expected. HIBP's submission criteria are strict — they require verifiable evidence that the data came from a specific source. XposedOrNot has a lower bar for inclusion, which means broader coverage but also occasional false positives or mislabelled breaches. If a specific breach concerns you, cross-reference by searching the breach name in news coverage.
I keep getting rate-limited when auditing a team\u2019s emails
The rate limit is 30 checks per IP per hour — plenty for personal use, tight for bulk auditing. Two workarounds: run audits across multiple hours rather than all at once, or use your company's paid identity monitoring product (which has no rate limit). For one-off team audits, the 30-per-hour limit is usually enough if you space them out across a workday.
Why Checking Email Breaches Is Important
When your email appears in a data breach, cybercriminals may gain access to your passwords, personal information, login credentials, financial data, and account recovery emails. Once attackers obtain this information, they often use it for credential stuffing attacks, phishing campaigns, and identity theft.
🔑 Stolen passwords sold on dark web
🎭 Identity theft & impersonation
📱 Account takeover attacks
💳 Financial fraud & unauthorised purchases
📩 Targeted phishing campaigns
🔓 Credential stuffing on other sites
What To Do If Your Email Was Found in a Breach
If your email appears in a data breach, take these security steps immediately to minimise damage and prevent account takeovers.
01Change your password on the affected website immediately
02If you reused the same password on other websites, change those too
03Enable Two-Factor Authentication (2FA) wherever possible
04Monitor your email for suspicious login alerts or phishing messages
05Use a password manager to generate strong and unique passwords
Signs Your Email May Have Been Compromised
⚠Receiving password reset emails you did not request
⚠Login alerts from unknown locations or devices
⚠Unusual spam or targeted phishing messages
⚠Accounts getting locked or accessed without your permission
⚠Friends receiving messages from your accounts you didn't send
Frequently Asked Questions
Type your email into the checker above to find out. We'll tell you within a few seconds whether it appears in any of the public data breaches XposedOrNot tracks, and if so, which breaches, when they happened, and what data was exposed. No account needed, no results stored.
Yes, within honest limits. Unlike our Password Breach Checker (which uses k-anonymity hashing), this tool does send your email to the XposedOrNot API over HTTPS. XposedOrNot doesn't log email submissions for lookup queries. On our side, nothing is stored beyond the rate-limit counter. If you want zero email transmission, use HIBP's site directly — but you'll get the same trust model as here, because any email breach lookup ultimately has to match on the email.
An email breach means your email address appeared in a public database leak — possibly along with a password, possibly just as part of a user list. A password breach means the specific password string has appeared in any leaked corpus. Your email can be in many breaches without your current password being compromised, and vice versa. Run both the Email Breach Checker and the Password Breach Checker to get the full picture.
XposedOrNot is a free breach-lookup service that indexes publicly disclosed data breaches — currently around 6 billion exposed records from hundreds of breaches. When you submit an email, it matches against that corpus and returns the breach names, dates, record counts, and categories of data exposed. It's an alternative to Have I Been Pwned with broader free-API access and no authentication required.
Change your password on every affected service — especially if you reused that password elsewhere. Enable 2FA on every important account, preferably with a FIDO2 hardware key on email and banking. Move to a password manager so every future account gets a unique password. Then verify the passwords you've used against the Password Breach Checker — if any return hits, retire them permanently.
Breach-lookup services only know about publicly disclosed breaches. Many breaches are private — sold on dark web markets, traded between adversary groups, never disclosed. Your email might be in private breaches that no lookup service can see. Treat 'no breaches found' as 'no public record of exposure,' not 'your email is safe.'
Every three months for the emails you care about, plus immediately after any major news about a breach at a service you use. Breach databases update continuously as new incidents are disclosed — a result today might be different from the same check in a month.
Technically yes — the rate limit applies per IP, not per email — but you should have their permission. In most jurisdictions, querying breach databases for someone else's credentials without authorisation is legally grey at best. Send them the link instead.
They're complementary. HIBP (haveibeenpwned.com) uses the HIBP corpus — the canonical source with 12.7 billion credentials. This tool uses XposedOrNot, a smaller but still substantial corpus (~6B records) with a more generous free API. Run both if you want maximum coverage — they don't fully overlap. This tool's UI gives clearer per-breach severity and exposed-data breakdown than HIBP's plain list.
It checks publicly disclosed breaches that have been indexed into XposedOrNot's corpus, which includes many leaks that originated on dark web markets. It does not continuously scan live dark web forums. For that, use our dedicated Dark Web Scanner which monitors a different data set.