Have I Been Pwned

Check if email or password has appeared in a data breach

Have I Been Pwned (HIBP) is Troy Hunt's widely-trusted service for checking whether email addresses, passwords, or phone numbers have been exposed in data breaches. The API provides breach lookups by email, password hash checking via k-anonymity (your password never leaves your machine), paste monitoring, and breach metadata for 700+ breaches covering billions of accounts. For OpenClaw agents, HIBP enables security-aware workflows. Your agent can periodically check your email addresses against new breaches, verify passwords aren't compromised before use, or build security audit skills that scan team email domains for exposure — all while preserving privacy through the k-anonymity model.

Tags: security

Category: Security

Use Cases

  • Periodically check your email addresses for new data breach exposures
  • Verify passwords aren't compromised using the k-anonymity password API
  • Build a security audit skill that checks team emails for breach exposure

Tips

  • Use the free Pwned Passwords API for password health checks — no key needed
  • Set up a monthly cron job to check your important emails for new breach exposure
  • The domain search endpoint is powerful for checking all emails on your domain at once

Known Issues & Gotchas

  • Email breach lookup requires a paid API key ($3.50/mo) — password checking is free
  • Rate limited to 10 requests/minute even with paid key
  • Must include a user-agent header or requests are rejected

Frequently Asked Questions

Is the password check safe — does my password get sent to HIBP?

No. HIBP uses k-anonymity: you hash your password locally (SHA-1), send only the first 5 characters of the hash, and HIBP returns all matching hashes. Your actual password never leaves your machine.

Do I need a paid API key for all endpoints?

No. The Pwned Passwords API (password checking) is completely free with no key. Only email breach lookups and domain search require the $3.50/month API key.

How quickly are new breaches added?

Troy Hunt manually verifies and adds breaches, usually within days to weeks of public disclosure. HIBP is considered the gold standard for breach notification timeliness.