What Have I Been Pwned gives you for free
On the free tier, you typically enter an email address and receive a list of known public breaches that include that address. Each hit shows which incident was involved and what categories of data were exposed— for example passwords, geographic locations, or dates of birth—without revealing the raw leaked data itself.
For many people, that single lookup is enough to learn whether a memorable breach affects them. It does not include ongoing monitoring for new breaches, proactive alerts when a dump is added weeks later, or structured guidance on what to change first across dozens of accounts.
Where the free tier falls short
- No ongoing monitoring. You must remember to return after every major headline breach—or you may never hear that a new incident affects you.
- No notification when new breaches are added. Discovering exposure late still matters for password reuse and targeted phishing, even when the incident is old news to security teams.
- No step-by-step recovery plan. Knowing that “passwords” leaked does not tell you which accounts to rotate first or whether your MFA setup is strong enough for the risk.
- Limited business and domain context. Broad discovery across every mailbox at a company generally requires verification and a paid workflow rather than ad-hoc free lookups.
What paid HIBP adds
A paid Have I Been Pwned subscription unlocks capabilities that teams and power users need: domain-based searches (once you prove control of the domain), API access for automation, and notification paths so you are not relying on manual checks. For developers integrating breach awareness into sign-up flows or SIEM playbooks, the API alone can justify the cost.
Even with those additions, HIBP’s core product remains oriented around breach intelligence, not incident response coaching. You still will not get a tailored checklist that ranks which services to secure first or how to communicate with stakeholders after exposure.
Free alternatives that go further
If your goal is not only to know that you appeared in a dump but to act on it, combine breach data with monitoring and practical recovery steps. Our comparison of Have I Been Pwned alternatives walks through tools ranked for coverage, monitoring, and price.
On SecurityScore.me, the free experience starts with a breach-style check and surfaces actionable recovery guidance—not only a list of incident names. Paid monitoring adds scheduled rechecks and alerts when new breaches affect addresses you care about, which closes the biggest gap left by one-off HIBP lookups.
| Capability | HIBP free | SecurityScore free | SecurityScore monitoring |
|---|---|---|---|
| Single-email breach lookup | Yes | Yes | Yes |
| Recovery-oriented guidance | Limited | Yes | Yes |
| Alerts for new breaches | No | No | Yes |
| Ongoing scheduled rechecks | No | No | Yes |
Who should pay for HIBP vs use an alternative
Developers and enterprises that need verified domain coverage, high-volume API queries, or tight integration with internal tooling often get the most value from paid HIBP. It is a mature data source with predictable semantics for engineers.
Individuals and small teams frequently benefit more from a product that layers monitoring and plain-language recovery steps on top of breach data— especially when nobody in the org has time to interpret raw breach names after every incident.
Check your email free on SecurityScore.me
Run a free breach check and see prioritized steps you can take today. Upgrade when you want monitoring and alerts instead of periodic manual lookups.
FAQ
Is Have I Been Pwned completely free to use?
You can look up a single email against known public breaches at no cost. Ongoing monitoring, domain-wide visibility, API access, and many enterprise workflows require a paid subscription.
Does free HIBP send alerts when new breaches appear?
No. The standard free experience is a manual lookup each time you visit. Notifications and automated rechecks are part of the paid service.
What is missing from HIBP after a breach is found?
HIBP tells you which breaches involved your address and the categories of data exposed. It does not walk you through prioritized recovery steps, affected account checklists, or team workflows.
When is HIBP paid a good fit?
Developers needing API access, security teams validating many addresses, and organizations wanting domain-level discovery with notifications often justify paid HIBP.
Where can I compare free alternatives in detail?
See our guide to the best Have I Been Pwned alternatives for monitoring, pricing, and recovery-focused tools.