📋 HIBP Breach Catalog

Every public data breach indexed by HIBP — searchable, sortable, free.

Loading…
Breach Accounts Date Data exposed

Browse every public data breach

This page renders the full Have I Been Pwned breach catalog as a sortable, searchable table. Click any column header to sort. Use the search box to filter by service name or domain.

For each breach you'll see when it happened, how many accounts were exposed, what kind of data was leaked (passwords, addresses, phone numbers, payment info, etc.), and HIBP's verification status.

For OSINT investigations: when a target uses a service that has been breached, the data classes column tells you what types of identifiers may now be searchable in dumps. Pair this catalog with a stealer-log check (Hudson Rock) and the Pwned Passwords tool for a full breach picture.

Frequently asked questions

What is this list?
Every publicly-disclosed data breach catalogued by Have I Been Pwned. Each entry includes the breach name, date, account count, types of data exposed, and verification status. Data from HIBP's free /api/v3/breaches endpoint, refreshed every load.
What do the flags mean?
Verified = HIBP independently confirmed the breach is real and the data matches the source. Sensitive = the breach contains data that could harm someone if linked to them (e.g. Ashley Madison). Retired = data has been removed from HIBP's active store. Fabricated = the breach was claimed but evidence suggests the data is fake. Spam list = the corpus is just email addresses harvested for spam, not from a real breach. Malware = the data was harvested by stealer malware rather than from the breached service.
Can I check if my own email appears in any of these?
Yes — but not on this page. HIBP's search-by-email endpoint requires a paid API key as of late 2023 (anti-abuse measure). Visit haveibeenpwned.com directly to check an email for free.
How is this different from the Pwned Passwords tool?
Pwned Passwords checks whether a specific password (not an account) has appeared in any breach. It uses k-anonymity so the password never leaves your browser. The catalog browser here lists the breaches themselves so you can investigate which services have been compromised.

Related OSINT tools

🔐
Pwned Passwords
Check a password (k-anonymity)
🦠
Stealer log check
Email/domain in stealer dumps
📧
Email Profiler
Multi-source email OSINT
📋
OSINT Tool Graveyard
Why old breach search tools died