Investigator Use
Have I Been Pwned is the most widely used breach notification service in the world, allowing investigators and individuals to check whether email addresses, phone numbers, and domains have appeared in known data breach datasets. Created by security researcher Troy Hunt, the platform aggregates breach data from hundreds of incidents and provides both a web interface and a public API.
What investigators use Have I Been Pwned for: verifying whether a target's email address was included in a specific breach, correlating breach exposure with credential reuse patterns, checking entire domains for exposed employee accounts, and identifying which breach datasets contain a subject's data to inform further investigation.
What data it exposes: breach name and date, number of accounts compromised, types of data included in each breach (passwords, usernames, phone numbers, physical addresses, etc.), and whether the breach data has been verified as authentic. The service also maintains a Pwned Passwords database of over 800 million compromised password hashes.
Have I Been Pwned is a critical first step in any identity-focused OSINT investigation. Knowing that a target's email appeared in a specific breach helps investigators pivot to related accounts, predict password patterns, and understand the target's risk profile. If an email appears in a breach that included usernames, those usernames may cross-reference with accounts on other platforms.
Domain search capability: the domain search feature is one of the most powerful features for corporate investigations. Enter a domain to see all known email addresses from that domain that have appeared in breaches. This can surface employee accounts, executive emails, and service accounts that weren't publicly disclosed.
API access: the Have I Been Pwned API is free for personal use with rate limiting. Bulk lookups and higher rate limits require a paid subscription. The Pwned Passwords API can be queried using k-anonymity, meaning you can check passwords without transmitting the full hash.
In a workflow: check Have I Been Pwned early in an email-based investigation before querying more invasive tools. Combine results with Emailrep for reputation scoring and DeHashed for deeper breach data including plaintext credentials from older breaches. Always note which specific breaches the email appeared in — breach context matters as much as presence.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
DeHashed
Breach & Leak OSINT
Breach intelligence service for searching exposed usernames, emails, IPs, and related data, with monitoring, API, and WHOIS features.
Digital Traces
Breach & Leak OSINT
Digital Traces provides breach intelligence and data leak monitoring for tracking credential exposure and personal data compromises.
Git Leaks
Breach & Leak OSINT
Gitleaks scans Git repositories for hardcoded secrets, API keys, and credentials to detect accidental sensitive data exposure.
Netdata Directory
Breach & Leak OSINT
Netdata Directory is a curated index of monitoring, network intelligence, and real-time data tools for infrastructure and OSINT research.