🚨 Has Your Password Been Stolen? 5 Simple Checks to Do Right Now

Here's a number that might make you pause: in the past year alone, over 2.8 billion usernames and passwords were stolen by cybercriminals, according to a report from KELA cited by Forbes. That's not a typo — 2.8 billion with a B. If that sounds overwhelming, you're not alone. Most people have no idea whether their passwords have been stolen until something bad happens. The good news is you don't need to be a tech expert to find out. There are a few quick checks anyone can do in under five minutes.

Start with a free breach checker

The easiest way to find out if your details have been leaked is a website called Have I Been Pwned (it's free, no sign-up needed). Just type in your email address and it'll tell you if any accounts linked to that email have appeared in known data breaches. We tested it on a few of our own older accounts and found one from a breach we'd completely forgotten about — a forum we signed up for in 2018 that got hacked years ago.

If your email shows up in any breaches, don't panic. It doesn't automatically mean someone has accessed your accounts. But it does mean your password for that site is floating around out there, and you need to change it right away. For a step-by-step guide on what to do next, see our guide on what to do if you think you've been hacked.

Look for these warning signs

Sometimes your password gets stolen and you'd never know unless you're paying attention. Here are the signs to watch for:

• You get password reset emails you didn't ask for. Someone may be trying to break into your account.
• You see logins from places you don't recognise. Most big services like Google and Facebook show you where recent logins came from.
• Friends get strange messages from you. If someone's using your account, they'll often try to spread spam or scam messages to your contacts.
• Things look different. Changed settings, deleted emails, or purchases you don't remember making are all red flags.

We hear from readers all the time who noticed something was off but didn't act quickly enough. One reader told us recently that they ignored a password reset email for two days — by the time they checked, someone had ordered £80 worth of goods from their Amazon account. The lesson: if something looks strange, check it immediately.

What to do if your password has been stolen

If you find out your details have been leaked, here's what to do in order:

1. Change that password right now. Use our free password generator on the homepage to create a strong replacement. Make it at least 12 characters.
2. Check if you used that password anywhere else. This is the most important step. If you reuse passwords and one site gets hacked, every account using that same password is at risk. We explain why in our article on why you need a different password for every website.
3. Turn on two-factor authentication. This adds a second check — usually a code sent to your phone — so even if someone has your password, they can't get in without that extra step. Here's our simple guide to setting up two-factor authentication.
4. Log out of all devices. Most websites have a setting that lets you sign out everywhere at once. Use it to kick out anyone who might have got in.

If this all feels like a lot to remember, start with just the first step. Changing the password immediately stops most attacks in their tracks. You can worry about two-factor and device sign-outs after. For a reliable option, the best password generator online creates strong random passwords instantly in your browser.

Why 2026 is a record year for stolen passwords

You might be wondering why this is happening more than ever. The answer is simple: more data is out there, and criminals are getting better at using it. The 2.8 billion figure from KELA's report covers credentials stolen through data breaches, malware, and phishing attacks. That's on top of the 16 billion passwords from older breaches that are still being traded and reused by attackers today — we covered this in our common password mistakes guide.

What's changed in 2026 is the speed at which stolen credentials get weaponised. A credential stuffing attack — where criminals use automated tools to try stolen usernames and passwords across hundreds of websites — can happen within hours of a breach being disclosed. The NCSC in the UK has warned that these attacks now account for a significant majority of account takeovers. If that sounds worrying, it should — but it's also entirely preventable with the habits below.

Simple habits that keep you safe

You don't need to become a cybersecurity expert to protect yourself. These four habits make a real difference:

1. Use a unique password for every account. This is the single most important rule. A password manager makes this easy. If you're not sure which one to pick, have a look at our recommendations for the best free password managers.
2. Make passwords long. Aim for at least 12 characters. A short phrase like correct-horse-battery-staple is better than a short random string. Learn more in our simple guide to what makes a password strong.
3. Check your email on Have I Been Pwned once a month. It takes 10 seconds. Set a reminder on your phone if you need to.
4. Turn on two-factor authentication everywhere it's offered. It's the closest thing to a security guarantee you'll find online.

We'll be honest with you: building these habits takes a bit of effort at first, especially if you've been using the same password for everything for years. But once you've got a password manager set up and two-factor enabled on your main accounts, the day-to-day is actually easier than what you're doing now. No more trying to remember which variation of your birthday you used for which site. No more resetting forgotten passwords every time you log in.

The reality is that data breaches aren't going away. But knowing whether your passwords have been stolen — and knowing what to do about it — puts you ahead of most people. Those five minutes it takes to check could save you hours of hassle later.

Frequently asked questions

Is Have I Been Pwned safe to use?
Yes. It's run by security expert Troy Hunt and doesn't store your search history. It's widely recommended by cybersecurity organisations worldwide.

What if my email doesn't show up in any breaches?
That's good news, but it doesn't mean you're completely safe. New breaches happen all the time, so check periodically.

Should I change all my passwords if one gets stolen?
Only the ones that share the same password. If you used unique passwords for each account, you only need to change the compromised one.

How do I create a password that's hard to steal?
Use our free password generator on the homepage — it creates strong random passwords instantly. Make sure it's at least 12 characters long.

Is two-factor authentication really necessary?
According to Microsoft, it blocks 99.9% of automated attacks. We'd say that makes it well worth the extra few seconds.

What's credential stuffing?
It's when criminals use stolen username and password pairs from one breach to try logging into other websites. It's one of the most common attack methods in 2026, which is why using unique passwords for every site is so important.