Stop guessing if your data leaked. Here's how to check in 60 seconds.

Seventeen billion. That is how many compromised accounts sit inside Have I Been Pwned, the free breach-checking service built by Australian security researcher Troy Hunt. If you have an email address, it has almost certainly appeared in at least one of the 986 breaches indexed by the site. The question is not whether your data leaked. It is whether you have checked.

Australians lost personal information in a cascade of high-profile breaches over the past two years. The Qantas contact-centre attack in mid-2025 exposed 6 million customer records. The youX finance breach leaked 600,000 loan applications, including bank statements and driver’s licences. The Canvas LMS breach, claimed by ShinyHunters, hit Australian universities and state schools in May 2026. The Office of the Australian Information Commissioner logged 1,113 notifiable data breaches in 2024 alone. The real number is higher; many go unreported.

Checking whether your email address was caught up in any of them takes under a minute. This guide covers the tools that work, the ones that do not, and what to do after you get the bad news.

What to use (TL;DR)

Have I Been Pwned is the right answer for almost every Australian. It is free, built by an Australian, indexes more breached accounts than any competitor, and does not require you to hand over a phone number or create an account. Type your email address into the search box, hit enter, and you will see a timeline of every known breach that included your data.

For Australian-specific context, the Australian Cyber Security Centre publishes step-by-step guidance for individuals who discover their information was exposed. If an organisation you deal with suffers a breach, the OAIC Notifiable Data Breaches scheme requires it to notify you and recommend steps to take.

How breach checking actually works

Breach-checking services do not scan the dark web in real time. They build indexes from data dumps that have already been published: paste sites, hacking forums, torrents, and publicly traded credential lists. When you enter an email address, the service hashes it and checks the hash against its index. If there is a match, it tells you which breach the address appeared in and what other data was exposed alongside it.

This is why breach checkers are a trailing indicator. Your data may have been circulating for weeks or months before a dump is discovered, cleaned, and indexed. The value is in knowing what is out there so you can act. Change passwords, enable multi-factor authentication, and watch for phishing attempts that reference the exposed data to appear legitimate.

Have I Been Pwned also runs a companion service called Pwned Passwords, which lets you check whether a password has appeared in a known credential dump. It uses a k-anonymity model. You send only the first five characters of a SHA-1 hash, not the full password, so the check is private.

The picks

Have I Been Pwned, the gold standard

Troy Hunt launched HIBP in 2013 as a side project. It is now the reference implementation for breach checking globally, used by governments, security teams, and individuals. A Microsoft regional director and MVP, Hunt has testified before the US Congress on data breach notification and runs the service as a public good. It is sponsored by 1Password.

HIBP’s free tier covers email search, domain search (check every address on your domain at once), and a notify-me service that emails you when your address appears in a future breach. The site also surfaces “paste” records, which are instances where your email appeared in a public text dump that has not been formally classified as a breach.

For Australian users, HIBP’s coverage of locally significant breaches is strong. The service indexed the Optus 2022 breach, the Medibank breach, the Latitude Financial breach, and the more recent Qantas and Canvas LMS incidents. If an Australian breach produced a public data dump, HIBP likely has it.

Pros: Free. Australian-made. Largest breach index globally. Domain search for businesses. No account required for basic search. Notify-me for future breaches. Pwned Passwords uses k-anonymity.

Cons: Cannot tell you if your data was accessed but not dumped. No dark-web monitoring. Limited to breaches where data was made public.

ACSC, the Australian government’s guidance

The Australian Cyber Security Centre, part of the Australian Signals Directorate, is the federal government’s lead cybersecurity agency. Its website publishes threat alerts, step-by-step response guides for individuals and small businesses, and a report-and-recover framework for breach victims.

The ACSC does not run its own breach checker. Its role is to tell you what to do after you discover your data was exposed: change passwords, enable multi-factor authentication, check your bank and superannuation statements, contact IDCare for identity support, and report cybercrime through ReportCyber. It also issues advisories when a major breach affects Australian organisations, as it did with the ClickFix/Vidar Stealer campaign targeting WordPress sites in May 2026.

For someone who just learned their email was in a breach, the ACSC’s Have you been hacked? page is the best next click after HIBP.

Pros: Government-backed. Australia-specific. Covers the full response lifecycle. Free. Ties into ReportCyber and IDCare.

Cons: Not a breach checker itself. Guidance can be general. No personalised dashboard.

OAIC Notifiable Data Breaches scheme, your legal backstop

When an Australian organisation covered by the Privacy Act 1988 experiences an eligible data breach, it must notify affected individuals and the OAIC. An eligible breach means unauthorised access or disclosure of personal information that is likely to result in serious harm, where the organisation has not taken effective remedial action.

The OAIC received 1,113 breach notifications in 2024, and the trend line points up. The scheme gives you the right to be told when your data is exposed, and the right to receive specific recommendations about what to do. If an organisation fails to notify you, you can lodge a privacy complaint with the OAIC.

In November 2025, the Federal Court handed down the first civil penalty under the Privacy Act in Australian Information Commissioner v Australian Clinical Labs Ltd, signalling that the OAIC is shifting from guidance to enforcement. The penalty remains well below the maximum ($50 million or 30 per cent of domestic turnover), but it establishes the precedent.

Pros: Legal obligation on organisations to notify you. Complaint mechanism if they do not. Published breach statistics for transparency.

Cons: Reactive, not proactive. Does not help with breaches at non-Australian organisations. Enforcement is still in its early stages.

Commercial AU services: TrueTrace and PrivacyMate

Two Australian commercial services, TrueTrace and PrivacyMate, offer breach checking alongside broader privacy and compliance tools. Both target the Australian market and provide AU-specific breach coverage. They sit between HIBP (free, global, comprehensive) and enterprise dark-web monitoring services (expensive, contract-based). For an individual Australian user, neither offers coverage that HIBP misses, but both package the check inside a wider privacy toolkit that some users may prefer.

What to do after you find your email was breached

Once you confirm your email was exposed, the order of operations is straightforward.

Change the password on the breached service immediately. If you reused that password anywhere else, change it there too. A password manager makes this manageable. 1Password and Bitwarden are the two worth your time in Australia.

Enable multi-factor authentication on every account that supports it. Use an authenticator app, not SMS. Proton Authenticator and Microsoft Authenticator are both solid free options.

Check what data was in the breach. HIBP tells you which fields were exposed. If financial data or identity documents were included, contact your bank and consider a credit report ban through Equifax, illion, or Experian Australia.

Watch for phishing. Breached email addresses attract targeted phishing. Scammers use the breach context (“we’re contacting you about the recent Qantas breach”) to sound legitimate. Any unsolicited message asking you to click a link or verify your details should be treated as hostile.

If identity documents were exposed, contact IDCare, a free Australian and New Zealand identity support service. They provide case management and help with document replacement.

Consider an encrypted email service for sensitive communications. Proton Mail and Tuta Mail encrypt your inbox at rest, so a breach of the email provider’s servers does not expose your message contents. It is not a substitute for good password hygiene, but it reduces the blast radius of the next breach.

What we would skip

Dark-web monitoring services that charge a monthly fee: for consumers, the incremental value over HIBP’s free notify-me service is small. Enterprise dark-web monitoring from firms like Mandiant or CrowdStrike is a different category, and worth it for organisations that need to know when employee credentials surface in criminal forums. For an individual, $15 a month for a scan that often just re-displays HIBP results is poor value.

“Instant breach check” browser extensions: several extensions promise to check sites you visit against a breach database. Most have access to your full browsing history and some have been caught logging and selling it. Type your email into HIBP once. Do not install an extension that watches every URL you visit.

Paying anyone to “remove” your data from a breach: once data is in a public dump, it is out. No service can remove it. Anyone claiming otherwise is running a scam.

Frequently asked questions

Is Have I Been Pwned safe to use?

Yes. You enter only your email address. No password, no personal details, no account creation required. For the Pwned Passwords tool, HIBP uses a k-anonymity protocol: you submit the first five characters of a password hash, and the service returns every hash that starts with those five characters. Your full hash never leaves your device. The site is run by Australian security researcher Troy Hunt and sponsored by 1Password.

Can I check if my phone number was breached?

HIBP does not currently support phone-number searches for individuals. Some commercial services claim to check phone numbers against breach databases, but phone-number breach data is less reliably indexed because numbers are often stored in inconsistent formats. If you received a breach notification from a service that had your phone number (Qantas, for example), assume the number is compromised along with your email.

How often should I check?

If you sign up for HIBP’s notify-me service, you do not need to check manually. It emails you when your address appears in a new breach. Without notify-me, checking every few months covers most new breach disclosures. After a major Australian breach is reported in the news, check immediately.

What if my email is not in any breach?

That is rare, but possible if you use a new email address created after the last major breach indexed by HIBP. It does not mean your data is safe. Breaches that have not yet been discovered or indexed are not reflected. Keep using unique passwords per service, enable MFA, and sign up for HIBP notifications so you learn about future breaches immediately.

Does Australia’s Privacy Act protect me if my data is breached by an overseas company?

The Privacy Act applies to organisations with an “Australian link”, which means carrying on business in Australia or collecting personal information from Australia. A foreign company with no Australian presence is generally not bound by the Act, though the OAIC can cooperate with overseas privacy regulators. For breaches at companies like Google, Meta, or Microsoft, the applicable privacy law is usually the company’s home jurisdiction. HIBP covers these breaches regardless of jurisdiction.