Data Breaches — 6 April 2026 — 6 min read
Have I Been Pwned — What It Is and What to Do If Your Email Appears
14 billion breached accounts. Created by an Australian. And most people have never heard of it.
What Have I Been Pwned actually is
Have I Been Pwned (HIBP) is a free service created by Australian security researcher Troy Hunt. It aggregates data from known data breaches — the Optus hack, the Medibank leak, the LinkedIn breach, thousands more — and lets anyone check whether their email address or phone number appeared in any of them.
As of 2026, the database contains over 14 billion breached records. If you have had an email address for more than five years and have ever used it to sign up for any online service, there is a reasonable chance it appears somewhere in that database.
How to check your email address
Go to haveibeenpwned.com and enter your email address. The site will tell you:
- Whether your email appeared in any known breach
- Which specific breaches it appeared in
- What type of data was exposed — passwords, phone numbers, addresses, financial data
- When each breach occurred
You can also run this check automatically on our homepage — Hugo checks your email against the same database in real time and gives you a plain English summary of what was found.
What to do if your email appears
1. Do not panic
Appearing in a breach does not mean your accounts have been accessed. It means your email was in a dataset that was stolen. The risk depends on what data was exposed.
Appearing in a breach does not mean your accounts have been accessed. It means your email was in a dataset that was stolen. The risk depends on what data was exposed.
2. Change your password immediately
For the site involved in the breach. If you reused that password anywhere else, change it on every site that uses it. Use a password manager (Bitwarden is free and excellent) to generate unique passwords going forward.
For the site involved in the breach. If you reused that password anywhere else, change it on every site that uses it. Use a password manager (Bitwarden is free and excellent) to generate unique passwords going forward.
3. Enable two-factor authentication
On every account that supports it. Use an authenticator app like Aegis or Ente Auth rather than SMS
On every account that supports it. Use an authenticator app like Aegis or Ente Auth rather than SMS — SIM swap attacks are common in Australia.
4. Check what data was exposed
If the breach included your address, phone number, or financial data, your risk profile is significantly higher than if it was just your email. This is when professional removal becomes worth considering.
If the breach included your address, phone number, or financial data, your risk profile is significantly higher than if it was just your email. This is when professional removal becomes worth considering.
5. Monitor for unusual activity
Check your bank accounts, superannuation, and MyGov connections for anything unfamiliar. Set up credit monitoring through Equifax, Experian, or Illion.
Check your bank accounts, superannuation, and MyGov connections for anything unfamiliar. Set up credit monitoring through Equifax, Experian, or Illion.
The Optus and Medibank breaches specifically
If you were an Optus or Medibank customer during the 2022 breaches, your data was exposed — and it has been circulating on dark web markets ever since. The data exposed includes passport numbers, drivers licence numbers, Medicare numbers, and in the case of Medibank, sensitive health information.
If you were affected, the standard advice applies but you should also consider placing a credit ban with all three Australian credit bureaus (Equifax, Experian, Illion) and contacting Services Australia to update your Medicare number if it was exposed.
Check your email now — free, instant
Hugo checks your email against the HIBP database in real time and tells you exactly what was found. No account, no storage, no cost.
Run Free Scan