Has Your Password Been Hacked? Here's How to Check in 60 Seconds
You use the same password for your email, your banking app, maybe your Singpass or MySejahtera login too. Sound familiar?
Here's the uncomfortable truth: there's a good chance that password is already floating around the internet right now — and you'd have no idea.
Every few months, a major company gets hacked. Their databases get dumped online. Millions of usernames and passwords get shared on dark web forums. And while companies eventually send out "we take your security seriously" emails, by then your credentials may have already been sold, traded, or used.
The good news? You can find out if yours is among them — in under 60 seconds, for free.
Step 1: Go to HaveIBeenPwned.com
Head over to haveibeenpwned.com — this is a free, legitimate website run by Troy Hunt, one of the world's most respected cybersecurity researchers. It's not a scam. It's used by governments and tech companies worldwide.
Type in your email address and hit "pwned?"
That's it.
What the results mean
If you see green — "Good news — no pwnage found!"
Your email wasn't found in any known data breach. Great. But keep reading — you still need to check your other email addresses, and your passwords separately.
If you see red — "Oh no — pwned!"
Your email appeared in one or more data breaches. The site will tell you exactly which ones — maybe it was LinkedIn in 2016, Canva in 2019, or a Singaporean e-commerce site you'd completely forgotten about.
This doesn't automatically mean someone has broken into your accounts. But it means your details are out there, and you need to act now.
Step 2: Check your passwords too
Here's what most people miss — you can also check if a specific password has been exposed, without anyone ever knowing what your password is. (The site uses a clever trick called "k-anonymity" that protects your privacy while still checking.)
Go to haveibeenpwned.com/passwords and type in any password you currently use.
If it comes back with a number — say "this password has been seen 45,821 times" — that means it's in hacker databases. Stop using it immediately, everywhere.
Step 3: If you've been breached, do these 3 things right now
1. Change the password on the breached account immediately.
Don't reuse an old one. Make it long and random — at least 14 characters, mixing letters, numbers, and symbols.
2. Change that same password everywhere else you used it.
This is the painful part. If you used "YourDog2019!" on Gmail, Lazada, Shopee, and your internet banking — change all of them. Hackers know people reuse passwords. They try the same one across hundreds of sites automatically. It's called "credential stuffing" and it works depressingly well.
3. Turn on two-factor authentication (2FA) on your most important accounts.
Even if a hacker has your password, 2FA stops them cold. They'd need your phone too. Enable it on your email, banking apps, and social media first. Look for "Security" in your account settings — it's usually just a toggle.
The real reason this happens (and why it's not your fault)
When you sign up for a website, they store your details in their database. If that company gets hacked — and thousands of companies do, every year — your email and password go with it.
You did nothing wrong. But you do need to clean it up.
This is why security professionals like myself push so hard for one simple habit: never reuse passwords. Each account should have its own unique password. It sounds impossible to remember, but that's exactly what password managers are for — tools like 1Password, Bitwarden (free), or Dashlane store all your passwords securely so you only need to remember one master password.
Quick summary — your 60-second security check
| Step | What to do | Time |
|---|---|---|
| 1 | Go to haveibeenpwned.com, enter your email | 20 seconds |
| 2 | Check your passwords at haveibeenpwned.com/passwords | 20 seconds |
| 3 | If breached: change passwords + turn on 2FA | 10–30 minutes |
One more thing — check your other emails too
Most of us have 2–3 email addresses. An old Hotmail account from 2008. A Gmail you use for "junk" signups. Check all of them. Those old accounts often have the weakest passwords and haven't been touched in years — which makes them easy targets.
If this article helped you, share it with one person who might not know about this. It takes 60 seconds and could save them a lot of grief.
Next up: 5 things to do right now to secure your phone (takes 10 minutes)
Written by a cybersecurity professional working in Identity & Access Management in Singapore. LockItDown.blog explains digital security for real people — no jargon, no fear, just fixes.