What Is a VPN and Do You Actually Need One? (Plain English Guide)
By Ken Hollow, the man who had to explain encryption to someone who thinks her WiFi password is a “digital incantation” I knew it was…
Privacy & Security
How to Check If Your Email Has Been Hacked (Free, 60-Second Check)
By Ken Hollow, the man whose email appeared in nine data breaches and has the trust issues to prove it
Nana’s email was sending messages she didn’t write.
“Ken. My email just sent a link for ‘discounted enchantment crystals’ to my entire contact list. I did NOT send this.”
“Nana, your email has been compromised.”
“By WHOM?”
“By a company you signed up with that got hacked. Your password leaked, and someone used it.”
“…Which company?”
“Let’s find out.”
This happens more often than people think. Billions of login credentials have been exposed in data breaches over the past decade. The real question isn’t whether your email has been involved in a breach — it almost certainly has. The question is which breaches, what was exposed, and what you should do about it right now.
The good news: checking takes 60 seconds, and fixing it is straightforward.
The Short Answer
Go to haveibeenpwned.com, type in your email address, and hit the button. It will show you every known data breach your email has appeared in. It’s free, trusted, and takes less than a minute. If your email shows up (most people’s will), change the passwords for those accounts, enable two-factor authentication, and set up breach alerts for the future.
Step 1: Check Your Email on Have I Been Pwned
haveibeenpwned.com (commonly called HIBP) is the gold standard for breach checking. It was built in 2013 by security researcher Troy Hunt and is trusted by governments, law enforcement, and security professionals worldwide. The database currently contains over 17 billion compromised account records.
Here’s what to do:
- Go to haveibeenpwned.com
- Type your email address into the search bar
- Click the “pwned?” button
- Read the results
You’ll see one of two outcomes:
“Good news — no pwnage found!” — Your email wasn’t found in any known breaches in HIBP’s database. That’s good, but it doesn’t guarantee it’s never been exposed — it just means it’s not in any publicly disclosed breach that HIBP tracks.
“Oh no — pwned!” — Your email was found in one or more data breaches. The page will list exactly which breaches, what data was exposed (passwords, names, phone numbers, etc.), and when the breach occurred.
Important: Do NOT enter your password into any breach-checking tool. HIBP only asks for your email address. It also has a separate “Pwned Passwords” tool where you can check if a specific password has appeared in breach databases — this is safe to use because it uses a privacy-preserving technique where your actual password is never sent to their servers.
Nana’s Take:
“My email appeared in SEVEN breaches. SEVEN. Including a food delivery app I used once in 2019. That app has my address AND my late-night dumpling habit. I feel exposed on multiple levels.”
Step 2: Don’t Panic — Understand What It Means
Being listed in a data breach does not mean your account has been actively hacked right now. It means a company you signed up with had their database breached, and your information was part of what leaked. Whether anyone has actually used your compromised data depends on what was exposed and whether you’ve taken action since.
HIBP tells you exactly what was exposed in each breach. Common data types include:
Email addresses only — Lowest risk. Attackers know your email exists but don’t have your password. You might get more spam or phishing attempts.
Email + hashed passwords — Moderate risk. “Hashed” means the password was encrypted before it was stored. Attackers need to crack the hash to get the actual password, which is hard with strong passwords but easy with weak ones.
Email + plaintext passwords — High risk. The password was stored unencrypted (terrible practice by the company). If you reused that password elsewhere, every account using it is vulnerable.
Email + personal data (name, phone, address, DOB) — Identity theft risk. This data can be used for social engineering, targeted phishing, or even opening accounts in your name.
Step 3: Fix It — The Recovery Checklist
If your email appeared in breaches, here’s what to do, in priority order:
Change the passwords for breached accounts
Start with the accounts specifically listed in the breach results. If you used the same password on other accounts (be honest — most people have), change those too. Every account should have a unique strong password.
This is where a password manager becomes essential. You probably have dozens of accounts that need unique passwords. A password manager generates them, stores them, and fills them in for you. You only remember one master password.
Enable two-factor authentication
Start with your email account — this is the most critical one because it’s used for password resets on almost everything else. If an attacker has access to your email, they can reset passwords on your banking, social media, and other accounts.
Then enable 2FA on banking, social media, cloud storage, and anything else that supports it. Use an authenticator app (Google Authenticator, Authy, Microsoft Authenticator) over SMS when possible.
Check your email settings for tampering
If your email was actively compromised (not just in a breach database, but someone actually logged in), they might have set up forwarding rules to silently copy your incoming mail to their address. Check:
Gmail: Settings → See all settings → Forwarding and POP/IMAP. Make sure no unknown forwarding addresses are listed.
Outlook: Settings → Mail → Forwarding. Verify no forwarding is enabled that you didn’t set up.
Also check your “Sent” folder and “Filters/Rules” for anything you didn’t create.
Set up breach alerts
On HIBP’s results page, click “Notify me when I get pwned” and enter your email. You’ll receive an automatic notification whenever your email appears in a newly disclosed breach. This is free and means you’ll know about future breaches immediately instead of months or years later.
Signs Your Email Might Be Actively Compromised Right Now
Being in a breach database is different from having someone actively inside your account. Here are the warning signs that someone may currently have access:
| ⚠️ Warning Sign | What It Means |
|---|---|
| Emails in your “Sent” folder that you didn’t write | Someone is sending messages from your account — possibly spam or phishing links to your contacts |
| Password reset emails you didn’t request | Someone is trying to access your other accounts using your email for resets |
| Login alerts from unfamiliar locations or devices | Someone has your password and is logging in — change it immediately |
| Contacts telling you they received strange messages from you | Your account is being used to send phishing or malware to people you know |
| You can’t log in with your usual password | The attacker may have changed your password — use the “forgot password” recovery immediately |
| Unknown forwarding rules in your email settings | An attacker set up silent forwarding to copy your incoming mail |
If you see any of these signs, treat it as an active compromise: change your password immediately, enable 2FA, check for forwarding rules, and review recent login activity in your email account’s security settings.
Nana’s Take:
“I found an email in my Sent folder advertising ‘enchantment crystals at wholesale prices.’ On the one hand, I’m offended someone used my identity for cheap merchandise. On the other hand, the pricing was actually competitive.”
How to Prevent This From Happening Again
You can’t prevent companies from getting breached — that’s their security failure, not yours. But you can make sure a breach at one company doesn’t cascade into a disaster across all your accounts.
Never reuse passwords. This is the single most impactful thing you can do. If every account has a unique password, a breach at one service affects only that service. A password manager makes this effortless.
Enable 2FA on everything that supports it. Even if your password leaks, the attacker can’t get in without your second factor.
Use a VPN on public WiFi. This prevents your credentials from being intercepted on shared networks.
Watch for phishing emails. Once your email is in breach databases, you’ll likely receive more phishing attempts — fake emails that look like they’re from your bank, streaming service, or other providers. Never click links in unexpected emails. Go directly to the website instead.
Check HIBP periodically. Or better yet, set up the free notification alerts so you’re informed automatically.
TL;DR
Go to haveibeenpwned.com and check your email address — it’s free and takes 60 seconds. If it appears in breaches (and it probably will), change the passwords for those accounts, enable two-factor authentication starting with your email, check for forwarding rules that an attacker might have set up, and set up breach alerts for the future. Use a password manager to maintain unique passwords across all your accounts. Being in a breach database doesn’t mean you’ve been actively hacked — it means your data was exposed and you need to close the door before someone walks through it.
Nana’s Take:
“I have a new password manager, 2FA on everything, and breach alerts turned on. My email is now more secure than Ken’s apartment. Which, to be fair, doesn’t have a deadbolt. Ken, get a deadbolt.”
Hi. I’m Ken. I run Two Second Solutions, a one-man agency that somehow landed a fox spirit influencer as a client. I drink too much coffee, blog when I need to vent, and regularly update my résumé just in case she sets the office on fire again. I’m not crying — it’s just spell residue.
