There is a good chance that your email address and at least one password you have used is already sitting in a database that criminals can access. That is not scaremongering. It is a reflection of how many companies have been breached over the past decade, and of how that stolen data piles up and gets recycled.
The good news is that you can find out, and once you know, the steps to protect yourself are straightforward. This guide explains how email breaches happen, how to check whether yours is exposed, and exactly what to do next.
Why is this so common?
When an online service is breached, attackers often walk away with lists of email addresses and passwords. Those lists do not disappear. They get traded, combined, and republished, growing into enormous collections that circulate among cybercriminals.
The scale is hard to overstate. In late 2025, the breach-notification service Have I Been Pwned added a single dataset containing roughly 2 billion unique email addresses and around 1.3 billion unique passwords, gathered from credential-stuffing lists circulating online. It was the largest single addition in the service’s history, and researchers confirmed that many of the passwords were still actively in use on real accounts.
That last detail is the heart of the problem. Most people reuse passwords. So when criminals get a working email-and-password pair from one breached site, they try it automatically against dozens of other services, banking, email, social media, your company’s systems, hoping you used the same combination somewhere that matters. This technique, called credential stuffing, only works because of password reuse, and it works often enough to be a thriving criminal industry.
It is also why credentials are now the most valuable thing an attacker can steal. According to Verizon’s 2025 Data Breach Investigations Report, credential abuse was the single most common way attackers gained their initial foothold, involved in 22% of all breaches, and stolen credentials featured in 88% of attacks against web applications. Your email login is not a minor detail. For many businesses, it is the front door.
How to check if your email has been breached
You do not need technical skills to find out whether your address appears in known breaches. CDMA offers a free Breached Email check that lets you enter your address and see whether it has been exposed in a known data breach. It takes seconds and gives you a clear answer to start from.
When you run a check, treat the result calmly. A “match” does not mean your email account itself has been hacked right now. It usually means your address, and possibly a password, appeared in a breach of some other service you once used. The risk is real but manageable, and the response is the same either way: assume any password tied to that address could be known to attackers, and act accordingly.
It is worth checking every email address you use regularly, both personal and work, because attackers do not respect that boundary. A reused password from a personal account is a common route into a business one.
What to do if your email shows up
If your address appears in a breach, work through the following steps. Do the first three immediately.
1. Change the password, and do not reuse it. Start with the affected account, then change the password anywhere you used the same or a similar one. Every account should have its own unique password. The simplest way to manage that without memorising dozens of logins is to use a free password generator to create strong, random passwords and store them in a reputable password manager. A password manager also makes reuse easy to avoid, because you never have to remember the password in the first place.
2. Turn on multi-factor authentication (MFA). MFA adds a second check, such as a code or an approval on your phone, so that a stolen password alone is not enough to get in. Enable it on your email first, since email is often the key that unlocks password resets for everything else, then on banking, cloud storage, and any business systems. MFA blocks the overwhelming majority of automated attacks that rely on stolen passwords.
3. Check for signs of misuse. Review your account’s recent sign-in activity and connected devices, look for inbox rules or forwarding addresses you did not create (a classic trick attackers use to quietly read your mail), and check that your recovery email and phone number still belong to you.
4. Be alert to follow-on scams. Once your details are exposed, you may receive more convincing phishing emails or even “sextortion” messages quoting an old password to frighten you. If a message references a password you recognise, it almost certainly came from an old breach, not a live hack. Change that password and ignore the threat.
5. If it is a work account, tell your IT team or provider straight away. A breached business email can lead to invoice fraud, data theft, or attackers impersonating you to colleagues and customers. Early reporting lets your IT team contain the risk before it spreads.
6. Do not forget old and secondary accounts. The dataset that exposes you is often from a service you barely remember signing up for years ago. That forgotten account is dangerous for two reasons: the password on it may still be one you reuse elsewhere, and the account itself may still have access to your data or act as a recovery route into more important logins. Take the opportunity to close accounts you no longer use, and update the passwords on the ones you keep. Where a service offers it, consider switching from a password to a passphrase, a long string of unrelated words is both harder for attackers to crack and easier for you to remember than a short, complex one.
Why a one-time check is not enough
Checking once is useful, but new breaches happen constantly, and a credential that is safe today can be exposed next month when another company is compromised. For an individual, the practical answer is good habits: unique passwords everywhere, a password manager, and MFA switched on.
For a business, the stakes and the complexity are higher. You are not protecting one inbox but dozens or hundreds, each a potential entry point, and you often will not know that an employee’s credentials have leaked until they are already being used against you. This is where continuous monitoring matters. Rather than waiting for someone to run a manual check, a managed approach watches for your organisation’s credentials appearing in new breaches and dark-web dumps, and triggers a response, forcing a password reset, reviewing the account, before the exposure becomes an incident.
This is part of what our managed security services provide: ongoing visibility into credential exposure across your business, combined with the controls and rapid response needed to act on it. It turns a reactive scramble into a managed process.
The takeaway
If your email address has been part of a breach, you are in very large company, billions of addresses are circulating, and the only real question is what you do about it. The exposure itself is rarely the disaster. The disaster is reusing a leaked password on an account that matters and leaving MFA switched off.
Take five minutes to check your address, change any reused passwords for strong unique ones, and turn on MFA everywhere you can. Those three actions neutralise the vast majority of the risk. And if you are responsible for a team or a business, consider moving from occasional manual checks to continuous monitoring, so that the next leaked credential is caught and dealt with rather than quietly exploited.
