How to find leaked passwords: have yours been leaked?

Imagine seeing Facebook or Twitter sending suspicious login attempt alerts to your email. You immediately think, “Is my password compromised?” And you’d be right to think so — in 2021 alone, hackers leaked over 2 billion passwords.

So let’s talk about how to do a password leak check, how credentials get leaked, and how to avoid such a misfortunate fate.

How to check if my password is compromised? Is it even possible?

Very much so! (phew) Several services allow you to find out if your passwords were leaked. Here are a few of them:

  1. Surfshark Alert

Surfshark Alert is our data breach checker, which offers several useful features. Let’s dig in:

A screenshot of a Surfshark Alert landing page


  • Real-time monitoring and email notifications;
  • The largest database of leaked data records;
  • Email monitoring;
  • National ID/Social Security Number monitoring;
  • Credit card monitoring;
  • he ability to check the exact details of a leak;
  • Fast processing of newly leaked data records;
  • An unlimited number of email addresses, credit cards, and national IDs can be added.


  • Paid service.
  1. HaveIBeenPwned?

It was created by Troy Hunt, a Microsoft regional director and Microsoft’s MVP (Most Valuable Professional). HaveIBeenPwned is, without a doubt, the most popular site for simply checking breaches.

a screenshot of HaveIBeenPwned? homepage


  • Easy to use;
  • Free service;
  • Email address and phone number check;
  • Email breach notifications.


  • No concrete breached data is shown;
  • No National ID/SSN monitoring;
  • No credit card monitoring.
  1. Google password checkup

Google has its password checker, which is pretty convenient as it alerts you when you try to sign into a site with a breached password. However, it could be better.

It is also worth noting that Google has faced several lawsuits for violating user privacy and security, leaving room for concern.

Note: more on how Google knows if your password is compromised in the FAQ section.

A screenshot of Google's Password Checkup



  • Checking must be done manually;
  • Limited to usernames and passwords;
  • Unused account breaches — you might never discover the breach if you forget your password.

These are but a few of the many options to check if your password is still safe. Some provide a more in-depth look, while others give you only the basic info, so evaluate your needs and pick the one that suits you best.

What does a leaked password mean?

It means that your password has ended up in a data leak or breach, and your account is vulnerable. 

At first glance, it might not look like such a big deal, but in reality, one leaked password can give criminals access to a wide variety of sensitive information and even threaten your other accounts.

What happens when my password is leaked?

As with identity theft, your password might get stolen by a criminal and might be used for monetary gain. With your password, they can:

  • Hack into your account and see your banking details;
  • Crack other accounts if you use the same password or a similar one;
  • Imitate you online or, worse — steal your identity;
  • Ruin your credit score, get medical services, and collect your pension;
  • Sell your information to someone else or even blackmail you for money.

How do hackers discover compromised passwords?

Hackers exploit security loopholes in company databases. They hack them to get ahold of stored company and consumer data, causing a data breach.

The results can be quite severe as businesses will usually lose the trust of their customers and partners. Incidents like these always end with public apologies and a damaged brand reputation. For instance, 533 million Facebook users’ data got leaked in 2021, and a LinkedIn breach exposed over 92% of its users in the same year.

Apart from data breaches, there are a few other ways passwords can leak:

  • Disgruntled employees leaking data — this occurs when wronged employees take revenge against their company and reveal confidential details to the public (usually on the internet or to the media);
  • Mishandling of user data — many companies have poor cybersecurity practices, and their stored data can easily leak without a cyberattack. They often fall victim to illegal data scraping, which means collecting info and putting it into a spreadsheet;
  • Using devices infected with malware — malware is software designed to steal your data or damage your devices. This problem is often recognized when it is too late;
  • Using untrustworthy public Wi-Fi — hackers connected to the same network can easily gain access to your devices and thus login credentials;
  • Phishing — a scam containing a malicious link and a suspicious email domain. Clicking on such links results in a data leak;
  • Lost or stolen devices — unencrypted devices are easy to crack for hackers with the right software;
  • Outdated operating systems (OS) — they don’t contain the latest security improvements. Avoiding or postponing updates can endanger your passwords.

What data is stolen from me when information leaks or gets breached?

Your email and password might not seem as much, but these two details are enough to access your accounts and find other information quickly. Here are some of the details that usually get leaked:

  • Financial details — credit card numbers, bank details, etc.;
  • Identity information — name, surname, address, etc.;
  • Email addresses;
  • IP addresses;
  • Passwords;
  • Purchases;
  • Usernames;
  • Website activity;
  • Chat logs;
  • Private messages;
  • Time zones;
  • Dates of birth;
  • Genders;
  • Geographic locations.

Wondering, “What is a data leak?” If so, we’ve got you covered! You may also be interested in the top 8 recent data breaches or the biggest data leaks in 2021. We cover all things cybersecurity, so check out our blog and stay cybersecure.

What can I do to prevent password leaks?

Where there’s a will, there’s a way. With that in mind, let’s dig into these “ways.” 

Secure your passwords:

  • Make sure you use a strong password — it should be at least 12 characters long, with symbols, numbers, and lower-case and upper-case letters (*Rf2Te8PVe9!). This reduces the risk of it being cracked by criminals;
  • Use unique passwords — straightforward keyboard sequences (12345, qwerty) should be avoided. Your info like birth date, name, and surname is a no-go, too (Peter19860905);
  • Set up two-factor authentication (2FA) — it is an additional security measure that requires authentication from an approved device to log in. Even if criminals acquire your login details, they won’t be able to access your account;
  • Don’t recycle passwords — it is a common practice to set the same password or to change one or two symbols of the old one when it expires. But this leaves you open to brute force attacks constant guessing of passwords with software;
  • Use different passwords on multiple sites — this will help you avoid the worst-case scenario when a cybercriminal would gain access to several of your accounts (avoiding the same username would be a great idea, too!);
  • Protect your new devices — your new phone or computer (especially corporate ones) can’t be accessed if you set up a password, PIN code, or fingerprint.

The key takeaway is to keep your accounts secure. It is crucial to drop unsafe passwords and never use the same one on every account to prevent the stolen data from causing even more harm by exposing your other accounts.

Use additional security services:

  • VPN (Virtual Private Network) encrypts the data you send and receive from the internet and changes your location. This way, you’ll remain safe on public Wi-Fi and from the prying eyes of your ISP (Internet Service Provider);
  • Antivirus will take care of any malware that might find its way into your devices;
  • Data breach checker finds out if your account details were hacked by scanning breach databases and informs you via email;
  • Password manager — use an app like NordPass, which generates a unique password and acts as a password monitor. You only need to remember the master password.
Check for data breaches, stay safe and aware

Get Surfshark Alert

What do I do if my password has been leaked?

  • Change your password and deny cybercriminals access to your accounts using the old one;
  • Scan your device for malware;
  • Contact your bank if financial data (credit card details, etc.) could be at risk;
  • Set up 2FA on the account.

What is a leaked password list?

A leaked password list is a compilation of compromised passwords gathered from different breached databases. The most famous one these days is RockYou2021.

According to Cybernews, it is considered the largest data breach compilation of all time and was leaked on a popular hacker forum. A forum user posted a huge 100GB .txt file, and the number of passwords listed was around 8.4 billion, though the user claimed the actual number was 82 billion.

Yet it is still the largest password collection (more passwords listed than there are people living on Earth). Shocking, right?

All the compromised passwords included are 6-20 characters long, with white spaces removed and non-ASCII characters.

Here are a few examples in plain text from the RockYou2021 list:

an excerpt of leaked password list reading: $aTURdaY, $aTURdaY1, $aTU_ f, $aTU_ fn, and so on.

This should give you a better idea of how many details, including passwords, are leaked on the internet daily and how important it is to be mindful of what you share and how you protect your data.

What are the most used passwords in the world?

There are trends even in password usage. Here are the most common passwords used worldwide, according to NordPass. Is yours on the list?

  1. password;
  2. 123456;
  3. 123456789;
  4. guest;
  5. qwerty;
  6. 12345678;
  7. 111111;
  8. 12345;
  9. col123456;
  10. 123123.

Note: the dot and the semicolons are not part of the password 🙂

As you can see, they are clearly unsafe: short, use obvious keyboard sequences, contain only numbers or only letters, and no upper-case letters or special symbols. Criminals can crack them in just a few seconds, so dump them, improve your password security, and don’t look back.

In the end, how serious are leaked passwords?

Very. Nowadays, our online lives are very active, and many of us have dozens of accounts. But leaked passwords lead to either exposure of sensitive information that criminals can use against you or an easy gateway to breach your other accounts. 

So, why not use Surfshark Alert to monitor and secure your personal details?

Protect your sensitive data from misuse

Get Surfshark Alert


How do hackers discover passwords?

They hack into company databases and thus commit a data breach, and your sensitive information becomes available on the internet or is sold on the dark web. Data can also leak if you install malware or get caught in phishing or other scams.

Can passwords be leaked?

Yes, they indeed can. It is best to take preventative measures like using strong passwords, enabling 2FA, and checking breach databases to see if any of yours have leaked on the internet to safeguard your accounts.

Can I find out who hacked my email?

Unless the hackers responsible for the data breach are caught, which is very unlikely. But you can find out what site leaked your details by using a leak checker service and taking appropriate action to protect yourself.

Can I check if my password has been leaked?

Yes, you can use data breach checkers like Surfshark Alert, which processes data breach databases to check if your information got leaked. Protecting yourself against the misuse of sensitive data for identity theft, financial scams, and other crimes is essential.

How does Google know if my password is compromised?

Chrome uses the Google Password Manager. It retains saved passwords and runs them against its leaked password database. If you’re using Chrome, anytime you type in a password that’s part of a data breach, a notifying table will pop up saying you should change your password. You can turn off the saving feature whenever you like.