How to Check if Your Email Has Been Hacked: Complete Guide
To check if your email has been hacked, run it through a breach scanner like Kaval (which checks data breaches and stealer logs) or Have I Been Pwned. Signs of compromise include password reset emails you didn’t request, login alerts from unknown locations, and emails in your Sent folder you didn’t write.
You probably signed up for dozens of services with the same email address over the years. Maybe hundreds. Every one of those services is a potential leak. And when they get breached — which they do, constantly — your email and password end up in a database that anyone can buy for a few dollars.
You don’t get hacked by some genius in a hoodie targeting you specifically. You get hacked because some company you forgot you signed up for stored your password in plaintext, got breached, and now your credentials are floating around Telegram channels.
So. Is your email in one of those databases? Here’s how to find out, and what to do about it.
Signs Your Email Is Already Compromised
Before running any breach check, see if anything already looks off.
Password reset emails you didn’t request. Someone’s trying to get into accounts tied to your email. This is usually the first sign.
Emails in your Sent folder you didn’t write. Especially ones with links or asking people for money. If you see these, your account is actively being used by someone else. Act now.
Login alerts from places you’ve never been. Most email providers notify you about new device logins. Getting alerts from a city in another country? Yeah, that’s not you.
Friends telling you you’re sending them weird stuff. Attackers love using compromised accounts to phish your contact list. If your coworker asks why you sent them a link to “verify their account,” you have a problem.
Email forwarding rules you didn’t set up. This one’s sneaky. Attackers create forwarding rules to silently copy your incoming mail. Check your settings — if there’s a forwarding address you don’t recognize, someone’s been reading your emails.
You’re locked out entirely. The most obvious sign. If your password doesn’t work and your recovery options have been changed, an attacker has taken over.
If any of this sounds familiar, jump straight to what to do about it.
How to Check if Your Email Was in a Data Breach
Even if everything looks normal, your credentials could still be sitting in a leaked database somewhere. Here’s how to check.
1. Kaval — AI-Powered Breach and Exposure Scanner
Kaval checks your email against known data breaches, stealer logs, and dark web exposure databases. It goes deeper than most breach checkers.
How to use it:
- Visit kaval.chat or message the Kaval WhatsApp bot
- Type your email address or ask “Has my email been hacked?”
- Kaval scans breach databases and stealer log collections
- You get a report: which breaches your email appeared in, what data was exposed (password, phone number, address), and how recently
The stealer log coverage is the big differentiator here. Most tools skip this entirely. Stealer logs are credentials harvested by malware directly from people’s browsers — and unlike database breaches where passwords are usually hashed, stealer logs contain your actual plaintext password. That makes them significantly more dangerous.
Kaval also does fact-checking, deepfake detection, and URL safety analysis, so it’s useful beyond just breach scanning.
2. Have I Been Pwned (HIBP)
Have I Been Pwned is the OG breach notification service. Security researcher Troy Hunt built it, and it now tracks over 14 billion breached accounts.
How to use it:
- Go to haveibeenpwned.com
- Enter your email address
- See which breaches included your email
HIBP is great at telling you exactly which breaches you’re in, and it’ll notify you about future ones too. The limitation: it mostly covers large, publicly disclosed breaches. Smaller leaks and stealer log data often aren’t included.
3. Firefox Monitor
Firefox Monitor is Mozilla’s tool, powered by HIBP’s database. Same core data, cleaner interface, and you can monitor multiple email addresses if you have a Firefox account.
How to use it:
- Visit monitor.firefox.com
- Enter your email address
- Review results and set up monitoring
Convenient if you’re already in the Firefox ecosystem.
Which Tool Should You Use?
Use more than one. Seriously. Start with Kaval for stealer log coverage, then cross-reference with HIBP. Different tools index different datasets, so checking multiple sources gives you a fuller picture.
What to Do if Your Email Was Breached
Found your email in a breach? Don’t spiral. But do move quickly.
Step 1: Change Your Password Immediately
Change the password on the breached account first. Then change it on every other account where you used the same password. (And be honest with yourself about how many that is.)
Make your new password:
- At least 16 characters. Length beats complexity.
correct-horse-battery-stapleis stronger thanP@ssw0rd!even though it looks simpler. - Unique to each account. If you reuse passwords and one leaks, every account sharing that password is now exposed.
- Generated by a password manager. Bitwarden is free and open-source. 1Password is excellent. Chrome, Safari, and Firefox all have decent built-in managers too.
Step 2: Turn on Two-Factor Authentication (2FA)
2FA means even if someone has your password, they still can’t get in without the second factor.
Ranked from best to worst:
- Hardware security keys (YubiKey, Google Titan) — phishing-resistant, the gold standard
- Authenticator apps (Google Authenticator, Authy) — codes that rotate every 30 seconds, solid option
- SMS codes — better than nothing, but vulnerable to SIM swapping
Start with your email account. Email is the master key to everything else — if someone controls your email, they can reset passwords on all your other accounts.
Step 3: Check Connected Apps and Forwarding Rules
Your email probably has a bunch of third-party apps connected to it. Go through them and revoke anything you don’t recognize or don’t use anymore.
- Gmail: myaccount.google.com > Security > Third-party apps with account access
- Outlook: account.microsoft.com > Privacy > App access
- Yahoo: login.yahoo.com > Account Security > Manage app passwords
Also check for forwarding rules. In Gmail: Settings > Forwarding and POP/IMAP. In Outlook: Settings > Mail > Forwarding. Delete any forwarding addresses you didn’t add.
Step 4: Check Your Financial Accounts
If the breach exposed financial info, or if you used the same password for banking (please stop doing this):
- Review recent transactions on your bank accounts
- Set up transaction alerts
- In the US, consider a fraud alert or credit freeze with Equifax, Experian, and TransUnion
Step 5: Warn Your Contacts
If your email was actively taken over (not just found in a database), let people know. A quick “ignore any weird emails from me recently” message prevents your contacts from falling for phishing attacks sent from your account.
Protecting Your Email Going Forward
Here’s what actually moves the needle on email security.
Use a Password Manager
If you do one thing from this entire article, do this. A password manager kills password reuse, generates strong passwords automatically, and means you only need to remember one master password.
Good options:
- Bitwarden — free, open-source, works everywhere
- 1Password — great UX, family sharing, breach alerts built in
- Apple Keychain — seamless if you’re all-in on Apple
Enable 2FA Everywhere
Prioritize in this order:
- Email accounts
- Banking and financial services
- Social media
- Cloud storage (Google Drive, Dropbox, iCloud)
Watch Out for Phishing
Most email compromises start with a phishing email. Before clicking any link: check the sender’s actual email address (not the display name), hover over links to preview the URL, and be skeptical of anything urgent. If you’re unsure about a link, check it with Kaval before clicking.
Set Up Ongoing Monitoring
Don’t wait for something to break.
- Kaval: Periodic checks via kaval.chat or the WhatsApp bot
- HIBP: Subscribe to notifications at haveibeenpwned.com
- Firefox Monitor: Enable continuous monitoring through your Firefox account
Use Email Aliases
Services like Apple’s Hide My Email, Firefox Relay, and SimpleLogin let you create a unique alias for each service you sign up for. If an alias shows up in a breach, you know exactly which service leaked it — and you can kill that alias without touching your main email.
Keep Your Devices Clean
Stealer malware is a growing problem. It quietly grabs saved passwords, cookies, and session tokens from your browser. Basic hygiene:
- Keep your OS and browser updated
- Don’t install software from sketchy sources
- Use reputable antivirus software
- Be picky about browser extensions — stick to verified publishers
FAQ
How often should I check for email breaches?
Every few months, or whenever a big breach makes the news. Even better, set up automatic monitoring — Have I Been Pwned will email you when your address shows up in a new breach. Periodically check Kaval too, especially for stealer log exposure that other services might miss.
Can hackers see my actual password from a breach?
Depends on the company. Good companies hash passwords with strong algorithms (bcrypt, Argon2) that are extremely hard to reverse. But plenty of breaches involve weak hashing (MD5, SHA-1) or — depressingly — plaintext storage where your password is right there in the open. Stealer logs are the worst case: they always contain plaintext passwords because the malware captures exactly what you type. This is why unique passwords matter so much. One leak shouldn’t compromise everything.
What’s a stealer log and why should I care?
A stealer log is a collection of data harvested by info-stealing malware (RedLine, Raccoon, Lumma, etc.). Unlike a traditional breach where a company’s database gets hacked, stealer logs come from malware on individual people’s computers. The malware exports your saved passwords, autofill data, session cookies, sometimes even crypto wallet files. These logs get sold in bulk on dark web markets and Telegram channels. They’re particularly nasty because they contain plaintext credentials for every site you were logged into, and the session cookies can sometimes bypass 2FA entirely. Kaval checks stealer log databases alongside traditional breach data.
Your email is the skeleton key to your digital life. A compromised email account can cascade into lost social media, drained bank accounts, and identity theft. Checking takes less than a minute.
Visit kaval.chat to scan your email for breach and stealer log exposure, or message the Kaval WhatsApp bot to check from your phone. Better to know now than find out the hard way.