haveibeenpwned.com

One-line introduction

haveibeenpwned.com is a free data-breach lookup tool operated by Australian security expert Troy Hunt. By entering an email address or username, users can quickly check whether that account has appeared in known data breaches worldwide. Because it tracks billions of leaked records in near real time and is free to use, it has become a widely recognized benchmark for breach detection in the cybersecurity community. Individual users, enterprise security teams, and developers all use it as a first line of defense in everyday security protection.

Business overview

The core service of haveibeenpwned.com is aggregating, indexing, and making known data-breach records searchable. Since its launch in 2013, it has collected more than 12 billion breached records, covering major incidents involving Facebook, LinkedIn, Adobe, Equifax, and many others. Troy Hunt is a Microsoft Regional Director and MVP. The project began as a personal research project, but quickly gained industry trust thanks to its large dataset and timely updates.

The platform mainly offers two types of services: a free public search interface, and paid API access for developers and businesses. The free version allows users to check whether an email address has been exposed and view breach details, such as the breach source and the types of data leaked. The API supports bulk queries and notification subscriptions, automatically alerting users when an email address appears in a new breach. In addition, the site provides a separate “pwned password” check: users submit a password hash prefix, and the service safely compares it to known leaked passwords without transmitting the actual password. Its users range from ordinary internet users to Fortune 500 security teams, and many password managers and security tools use its API directly as a data source.

Who it’s for

• Individual users: The most common use case is regularly checking whether your email address has appeared in new breaches. It is especially useful for heavy internet users who have registered on many websites and are concerned about credential stuffing. It is completely free and does not require registration.
• Security operations staff: Useful for monitoring whether company employee emails have been leaked, or checking the security status of accounts used by external-facing services. The API can be used for automated bulk queries.
• Developers: When building login and registration systems, developers can call the API to check whether an email has appeared in breaches and recommend that users change passwords. Many password managers, such as 1Password and Bitwarden, integrate this service.
• Enterprise security teams: Teams can use the API to subscribe to breach alerts and receive notifications as soon as employee email addresses appear in new breaches, making it easier to trigger password resets and risk investigations.

Key features and highlights

• One of the world’s largest breach databases: Contains over 12 billion records across more than 600 separate breach incidents. Updates are very fast, with new breaches typically added within hours.
• Free search + no ads: The core lookup function is completely free. The interface is clean and ad-free, and results clearly show the breach source, breach date, and leaked data types, such as email addresses, passwords, names, and more.
• Password breach checking (Pwned Passwords): Users submit a password hash prefix, and the service safely returns whether that password has appeared in known leaks. The actual password is never transmitted, protecting privacy.
• Domain search for businesses: Paid API plans support domain-based searches, allowing companies to view breach exposure for all email addresses under a domain at once, without entering each address manually.
• Notification subscriptions: Free users can subscribe to email alerts and receive notifications when an address appears in a new breach. API users can implement real-time webhook-style alerts.
• Open and transparent: Parts of the code are open source, data sources are publicly documented, and Troy Hunt regularly publishes transparency updates, giving the project a very high level of industry trust.

Pricing analysis

haveibeenpwned.com has a very clear pricing model: the free version is completely free for individuals, and payment only applies to API usage. API pricing is tiered by query volume. The basic plan starts at USD 3.50 per month, offering 1,000 queries/month. Higher tiers include options such as USD 350/month for 500,000 queries. Enterprise-oriented domain search is included in higher-tier plans.

Compared with similar data-breach detection services, its free version offers excellent value. Competing products such as Firefox Monitor and DeHashed either limit query volume or require payment to view breach details. Its API pricing is in the lower-to-mid range among professional tools, making it especially suitable for small and midsize teams. There are no hidden fees, and all prices are publicly listed on the official website. However, note that the free version does not support bulk queries or domain search, and there is no clear refund policy because the API is prepaid and usage-based; purchases are generally non-refundable.

How users in China can use it

• Connectivity: Direct access from mainland China is generally smooth. Users can visit the main haveibeenpwned.com site and use the search feature without a VPN. Pages load relatively quickly, with occasional delays due to international network fluctuations, but overall availability is good. The API can also be accessed directly from servers in China.
• Payment methods: Paid API access only supports credit cards such as Visa and Mastercard, as well as PayPal. Alipay and WeChat Pay are not supported. Users in China who need API access will need a foreign-currency credit card, or a PayPal account linked to a UnionPay card where supported.
• VPN required?: No. Neither the website nor the API is blocked, so users in China can access it directly.
• Invoices: Chinese invoices are not available. haveibeenpwned.com is a personal project with no China-based entity, and Troy Hunt has explicitly stated that he does not provide commercial invoices of any kind. Chinese companies that need reimbursement may need to use an overseas agent or look for a domestic alternative.
• Domestic alternatives in China: Domestic options include the email breach lookup feature from ThreatBook, as well as similar services from Knownsec. However, their data volume and update speed are far behind haveibeenpwned. There are also mini-programs focused on “password checks,” such as “密码安全检测,” but most only support password lookup and do not provide comprehensive email breach data.

Pros and cons

Pros:

• ✅ Largest dataset and fastest updates, with extremely high industry credibility
• ✅ Completely free to use, with no ads and no registration required
• ✅ Supports password breach checking via Pwned Passwords, in a secure and privacy-friendly way
• ✅ Open and transparent, with traceable data sources and no obvious commercial conflict of interest
• ✅ Accessible directly from China without a VPN

Cons:

• ❌ Only supports email and password checks; it does not provide broader security intelligence such as IP or domain intelligence
• ❌ The free version does not support bulk queries or domain search, so businesses need paid access
• ❌ No Chinese interface, making it less friendly for non-English users
• ❌ Cannot issue Chinese invoices, which makes reimbursement difficult for companies in China
• ❌ Does not support Alipay or WeChat Pay, raising the barrier for API purchases

Comparison with similar products

1. Firefox Monitor by Mozilla: Also based on data from haveibeenpwned, with a friendlier interface and support for notification subscriptions. The downside is that it requires a Firefox account, and data updates depend on the upstream source, so using the original site directly is more immediate.
2. DeHashed: A commercial breach search engine that supports multi-dimensional searches by email, username, IP, domain, and more. It provides richer search results, such as associated accounts and password hashes. However, the free version limits query volume, and its data sources are less transparent than haveibeenpwned.
3. IntelX: A dark web data search engine that includes breach data, but it requires payment and data quality can be inconsistent. It is better suited to advanced users who need deep web or dark web intelligence, rather than ordinary individual users.

Final recommendation

Best-fit scenarios for haveibeenpwned: Individuals who want to regularly check email security, developers integrating breach detection into applications, and small to midsize security teams monitoring employee email exposure. It is one of the simplest, most authoritative, and most free breach detection tools available, especially for users who do not want to pay, do not want to register an account, and only need a quick check.

Less suitable scenarios: Users who need a Chinese interface, Chinese invoices, bulk domain searches on a limited budget, or dark web intelligence and IP/domain-level security data. For those needs, consider DeHashed, ThreatBook, or commercial security vendors.

Recommendation: Individual users can simply use the free version with no need to pay. Developers can first try the free API allowance of 1,000 queries per month, then upgrade to a paid plan if the data source meets their needs. Enterprise users can start by manually checking email addresses through the free version, and purchase API access later if long-term monitoring is required. Because there is no refund policy, it is best to test thoroughly with the free version before paying.