Check If Your Password Was Leaked - Fix It in 10 Minutes

0 Imran Shaikh Isrg Imran Shaikh Isrg Saturday, May 09, 2026
How to check if your password was leaked in 2026 - HaveIBeenPwned, Google, Apple Passwords guide

Right now, without knowing it, your email address and password may be sitting in a database that hackers are actively using to break into accounts. This is not a hypothetical. HaveIBeenPwned - the most trusted breach database in the world, run by Microsoft Regional Director Troy Hunt - handles over 18 billion password check requests monthly. That volume alone tells you how widespread this problem is. The database has grown to include billions of compromised credentials from hundreds of data breaches across the last decade, and new breaches are added every week.

What most people do not realize is that you do not need to be the victim of a direct hack for your password to be compromised. If you used the same password on any site that was breached - a shopping site, a gaming forum, an old subscription service - that password is now known to attackers. They run automated tools that try that password on your email, your bank, your Netflix account, and dozens of others. It takes seconds.

The fix takes under 10 minutes. Here is the complete process.

(toc) #title=(Table of Contents)

Step 1: Check Your Email on HaveIBeenPwned

HaveIBeenPwned (HIBP) is the starting point. It is free, requires no account, and is the single most comprehensive breach database available to the public. Troy Hunt built it after the Adobe breach in 2013 and has maintained it ever since. The site is now trusted by governments, enterprises, and security researchers globally.

How to use it:

  • Go to haveibeenpwned.com
  • Type your email address into the search bar and click "pwned?"
  • If your address appears in any breach, the page turns red and lists every breach it was found in - the site name, the date, and what data was exposed (passwords, names, phone numbers, etc.)
  • If the page stays green and says "Good news - no pwnage found," your email has not appeared in any breach in the database

Check every email address you use. Most people have more than one - a personal email, a work email, an old email they rarely check. Breaches from accounts you forgot you created years ago are some of the most common sources of compromised credentials.

Set up breach notifications: Go to haveibeenpwned.com/NotifyMe and enter your email address. HIBP will send you an automatic alert whenever your address appears in any new breach added to the database. This is a free service and takes 30 seconds to set up.

Check individual passwords: Go to haveibeenpwned.com/Passwords to check whether a specific password appears in known breach data. The service uses a privacy-preserving method called k-anonymity - you never send your full password to the server. Only the first five characters of a hashed version of your password are sent, and the response tells you whether any password with that hash prefix has been seen in breaches. Your actual password never leaves your device.

Step 2: Run Google Password Checkup

If you save passwords in Google Chrome or use an Android phone, Google's Password Checkup is the fastest way to audit all your saved credentials at once. Google cross-references your stored passwords against a database of known compromised credentials using the same privacy-preserving hashing method as HIBP - your actual passwords are never sent to Google's servers in readable form.

On Android phone:

  • Go to Settings on your phone
  • Search for "Passwords" in the settings search bar
  • Look for "Autofill services with Google" or "Google Password Manager"
  • Tap "Checkup" or "Check passwords"
  • Google will scan all saved passwords and flag any that are compromised, reused across multiple sites, or too weak

In Chrome browser (desktop or mobile):

  • Click the three dots menu in the top right corner of Chrome
  • Go to Settings, then Autofill and passwords
  • Select Google Password Manager
  • Click Checkup at the top
  • You can also go to Settings, Privacy and security, Safety check, and click Check now - this scans compromised passwords alongside risky extensions and other security issues

Chrome also warns you in real time as you type credentials into a website if that username and password combination has been seen in a data breach. If you see a key icon with a warning in Chrome's address bar, take it seriously.

Google Password Manager on the web: passwords.google.com - log in with your Google account to see and manage all saved passwords, run a checkup, and update compromised credentials.

Step 3: Check iPhone Passwords App (iOS 18 and Later)

Apple introduced the standalone Passwords app in iOS 18, replacing the buried iCloud Keychain settings. It monitors your stored passwords against known breach databases automatically and surfaces security warnings directly in the app. If you are on iOS 18 or iOS 26, this is already running in the background for you - but most people never open the app to see the results.

How to check on iPhone:

  • Find the Passwords app on your iPhone home screen or in your App Library and open it
  • Tap the Security tab at the bottom of the screen
  • Apple shows three categories of issues: compromised passwords (found in breach data), reused passwords (same password on multiple sites), and weak passwords (too short or too simple)
  • Tap any flagged password to go directly to that entry and see the "Change Password" button, which takes you to the website to update it

In Safari on iPhone:

  • Go to Settings, then Apps, then Safari
  • Tap Passwords
  • Use Face ID or Touch ID to authenticate
  • Any password with a security warning will appear at the top with a warning icon

Apple's breach detection uses the same k-anonymity approach as HIBP and Google - your passwords are hashed before checking and your actual credentials are never sent to Apple's servers in readable form. The Passwords app also uses iCloud Keychain sync, so if you have the same passwords saved on your Mac, they are all checked together.

Step 4: Understand What "Compromised" Actually Means

Seeing a red warning next to a password creates immediate anxiety. Before you panic-change everything, understanding what the warning actually means helps you prioritize correctly.

"Compromised" means: This exact password (or password and email combination) has appeared in a known public data breach. Attackers have access to it and are likely running automated login attempts with it. Change this password immediately - it is the highest priority.

"Reused" means: You used the same password on multiple sites. Even if none of those sites has been breached yet, reuse is a critical vulnerability. If any one of those sites is ever breached, every other account using that password becomes instantly vulnerable. Change reused passwords to unique ones - this is the second highest priority.

"Weak" means: The password is short, uses common patterns, or is a dictionary word. These are vulnerable to brute-force attacks even without a breach. Change these when you have time, after handling compromised and reused passwords first.

One thing I found during the research for this guide that most people are not told: having your email address appear in a breach does not automatically mean your password was exposed. Many breaches only expose email addresses, names, and phone numbers - not password data. Check the specific breach details on HIBP to see exactly what was exposed. If only your email address was in the breach, the risk is lower but you should still change the password on that site as a precaution.

Step 5: Fix Compromised Passwords - The Right Order

If you found compromised or reused passwords, here is the correct sequence to fix them efficiently:

Start with your most important accounts first:

  • Email accounts - these are the master key. Someone with access to your email can reset every other password you have
  • Banking and financial accounts
  • Accounts that store payment methods (Amazon, Apple, Google Pay, etc.)
  • Your password manager, if you use one
  • Work accounts
  • Social media accounts (can be used for impersonation or to access connected apps)

For each compromised account:

  • Go to the site and log in (if you still can)
  • Go to Settings, Security, or Account settings and find Change Password
  • Create a new, unique password - see Step 6 below for how
  • After changing the password, look for a "Sign out of all other sessions" or "Revoke all active sessions" option and use it - this terminates any active logins by others
  • Review the account's connected apps and remove any you do not recognize

If you cannot log in because an attacker has already changed the password, use the account's recovery process - typically a "Forgot password" link that sends a reset to your email. This is why your email account security is the most critical first step.

Step 6: Set Up Bitwarden - Free, Open Source, Unlimited

Setting up Bitwarden password manager and two-factor authentication on iPhone and laptop 2026

The only sustainable solution to the reused password problem is a password manager that generates and stores a unique, strong password for every account. Bitwarden is the best free option available in 2026 - consistently rated the top free password manager by PCMag, The Verge, and CNET. It is fully open source, has been independently audited multiple times, uses zero-knowledge encryption (meaning Bitwarden cannot see your passwords even if they wanted to), and syncs across unlimited devices on the free tier.

Set up Bitwarden in 5 minutes:

  • Go to bitwarden.com and create a free account
  • Choose a strong master password - use a passphrase of four or five random words rather than a complex string. Something like "correct-horse-battery-staple" is both more memorable and harder to brute-force than "P@ssw0rd123"
  • Download the browser extension for Chrome, Firefox, Safari, or Edge from bitwarden.com/download
  • Download the mobile app: Android on Google Play | iPhone on App Store
  • Enable 2FA on your Bitwarden vault immediately: log in to bitwarden.com, go to Settings, Security, Two-step login, and choose an authenticator app. Bitwarden's own Authenticator app works, as does Google Authenticator or Microsoft Authenticator. Do not use SMS 2FA for Bitwarden - Bitwarden themselves state this clearly, as SMS can be intercepted through SIM swapping
  • Set vault timeout: go to Settings, Security, Vault Timeout and set it to 15 minutes or On System Idle so your vault locks automatically

As you visit sites and change passwords, let Bitwarden generate and save new passwords. The built-in generator creates passwords up to 128 characters with full complexity. You never need to remember any of them - only your master password and your 2FA app.

If you already use Apple iCloud Keychain or Google Password Manager, those are also solid options for most users. The key principle is the same: every site gets a unique, generated password. No reuse.

Step 7: Enable 2FA on Your Most Important Accounts

A strong, unique password is necessary. It is not sufficient. Two-factor authentication (2FA) means that even if an attacker has your password, they cannot log in without a second factor - typically a six-digit code from an authenticator app that changes every 30 seconds.

Enable 2FA on these accounts first, in this order:

  • Your email account (Gmail: myaccount.google.com/security | Outlook: account.microsoft.com/security)
  • Your password manager
  • Banking apps and financial accounts
  • Apple ID (appleid.apple.com) or Google Account (myaccount.google.com)
  • Social media: Instagram, Facebook, X, LinkedIn

For all of these, use an authenticator app rather than SMS. Bitwarden has a free standalone Authenticator app: Android | iOS. Google Authenticator and Microsoft Authenticator are also reliable choices. Bitwarden's official guidance confirms that app-generated codes cannot be intercepted through SIM swapping attacks, work offline, and are not dependent on cellular networks - making them significantly more secure than SMS codes.

When you enable 2FA on any account, you will receive backup recovery codes. Store these in your Bitwarden vault. If you ever lose access to your phone, these codes are the only way to regain access to your accounts.

One Thing to Do Right Now If You Do Nothing Else

Go to haveibeenpwned.com, type in your main email address, and see what comes back. The whole check takes 15 seconds. If you get a green result, sign up for breach notifications and you are done for today. If you get a red result, start with Step 5 above - prioritize your email password first, then banking, then everything else.

The full 10-minute process in this guide - checking all three tools, fixing compromised passwords in priority order, setting up Bitwarden, and enabling 2FA on your most important accounts - addresses the most common way accounts get broken into in 2026. Automated credential stuffing attacks work because most people reuse passwords. Remove the reuse and the attack fails.

Related Guides

Tags
how-to
Imran Shaikh Isrg

Imran Shaikh Isrg

Imran Shaikh Isrg (@imranisrg) is the founder of iTechnoGlobe, where he covers the latest tech news, digital trends, tech fixes and troubleshooting, in-depth how-to guides, smartphone reviews, gadget comparisons, AI tools, cybersecurity tips, and software solutions. His content focuses on helping users solve real-world tech problems, discover useful tools, stay secure online, and make smarter tech decisions in today's digital world. For More Details About Imran Shaikh Isrg Please Visit About Us Page. instagramtwitterfacebookpinterestyoutubetelegramlinktree

    You may like these posts

    Show more

    Post a Comment

    0 Comments
    * Please Don't Spam Here. All the Comments are Reviewed by Admin.

    Welcome to iTechnoGlobe! Feel free to ask questions. Please avoid using abusive language, hate speech, or spam links. Such comments will be deleted immediately. Lets keep it professional!