How to check if your password has been leaked

The unsettling truth: if you have been online for more than a few years, one of your passwords is almost certainly already on a breach list somewhere. The good news: there are reliable, free tools to find out which ones, and to do something about it.

Here is how to check, what the results actually mean, and what to do when one of yours turns up.

Why this matters for Canadians

About 43% of Canadians say they have been affected by a privacy breach, according to the Office of the Privacy Commissioner. Roughly one in five people knows for sure that at least one of their passwords has been exposed in a breach. Another 39% are not sure either way.

Canadian companies are not immune. Bell Canada, Indigo Books and Music, the Ontario Birth Registry, Nova Scotia Power, and SickKids Hospital have all suffered serious incidents in the last few years. When breaches happen, login data often ends up traded on dark web forums and aggregated into public lists. Your password from a 2018 forum signup may be the password an attacker tries against your bank tomorrow.

The tool to use: Have I Been Pwned

The free service Have I Been Pwned, run by Australian security researcher Troy Hunt, is the most widely trusted breach lookup in the world. It indexes billions of records from publicly disclosed breaches.

You can search two things:

1. By email address. Enter your email and the site lists every known breach where that email appeared.
2. By password. Enter a password (it is processed via a partial hash, never sent in full) and the site tells you whether that exact password has appeared in any breach.

The password search uses a clever method called k-anonymity. Your browser hashes the password, sends only the first five characters of the hash, and matches results locally. The full password and full hash never leave your device. Browsers use the same approach for built in password leak warnings.

What the results actually mean

If your email shows up in a breach, that does not necessarily mean your current password for that site is compromised. It depends on what the breach included.

• Password hashes only: the breach included encrypted versions of passwords. Modern hashing makes these very hard to reverse, but old or weak hashing leaks plaintext over time.
• Plaintext passwords: the worst case. The exact password is in the wild. Treat any account that used it as compromised.
• Email and personal data only: no passwords, but the data fuels phishing and account recovery attacks. Be more skeptical of unexpected emails claiming to be from that company.

Have I Been Pwned shows you which categories of data were exposed in each breach. Read it carefully.

What to do when a password is in a leak

If a specific password appears in any breach list, that password is permanently burned. It will be in attacker dictionaries forever. Three actions, in order:

1. Change the password on every account that uses it. Yes, every one. Generate a fresh, unique password for each, ideally with your password manager.
2. Turn on two factor authentication where you have not already. See what is 2FA and why you need it.
3. Watch for unusual login activity on the affected accounts for the next few weeks. Most major services have a recent activity page showing devices and locations.

Built in browser warnings

Most modern browsers will warn you about reused or compromised passwords. Chrome's Password Checkup, Safari's Compromised Passwords feature, and Firefox's breach alerts all use a similar k-anonymity lookup against the Have I Been Pwned database.

Turn these on. They are passive, run in the background, and surface problems you would otherwise miss. The downside: they only check passwords saved in the browser. Anything you store only in your password manager will not be checked unless your manager has its own monitoring.

Password manager monitoring

Most paid password managers include breach monitoring. 1Password's Watchtower, Bitwarden Premium's Data Breach Report, Dashlane's Dark Web Monitoring, and Proton Pass's Pass Monitor all flag credentials that appear in known leaks.

If you already pay for a manager, this feature is included and worth turning on. It scans your vault automatically and alerts you when something needs attention. If you use the free tier of a manager and rarely run manual checks, this is one of the strongest reasons to upgrade.

Dark web monitoring services

You may see paid services advertising dark web monitoring or identity protection. The honest answer: most of what they do is a layer on top of Have I Been Pwned, packaged with credit monitoring and insurance. For most individuals, the free Have I Been Pwned check plus your password manager's monitoring is plenty.

If you have suffered identity theft already, or you are at elevated risk for some reason, the paid services have value. For everyone else, save the money and put it toward a password manager subscription.

Reporting a breach you experienced

If you suspect a Canadian organization has mishandled your data, you can file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca. For Quebec residents, the Commission d'accès à l'information du Québec handles complaints under Law 25. Both regulators have full investigative authority.

Under PIPEDA, organizations are required to notify the OPC and affected individuals when a breach creates a real risk of significant harm. If you ever receive such a notification, take it seriously, and use the steps in this article to clean up.

The takeaway

Checking is free. Doing nothing is the most common mistake. Among Canadians who knew about an exposure, a Keeper Security survey found about 9% took no action. That choice is the difference between a near miss and a real loss.

Once a year, run a check on your main email addresses. After any major breach in the news, run another. When something turns up, change passwords and move on. The whole process takes 20 minutes and removes the most common path attackers actually use.