Your Credentials Are Already For Sale. Here's How to Find Out in 60 Seconds.

-


Action Guide Credential Risk
May 2026  ·  7 min read

Have I Been Pwned now holds over 17 billion compromised account records — including credentials from Under Armour, PayPal, and Panera in the last six months alone. The question isn't whether your employees' passwords are in a breach database. It's which ones, and whether attackers are already using them against you.

Go to haveibeenpwned.com. Type in your work email address. Hit Enter. You'll have your answer in under 60 seconds.

That answer will almost certainly be bad news. Have I Been Pwned — the world's most trusted breach database, maintained by security expert Troy Hunt since 2013 — now holds over 17 billion compromised account records from 971 breached sites. In 2025 alone, a single threat intelligence firm called Synthient aggregated nearly 2 billion unique email addresses from credential stuffing lists circulating among cybercriminals, all of which are now searchable in HIBP's database.

The question is no longer "has my email been in a breach?" For most business email addresses, it almost certainly has. The real questions are: which breaches, what passwords were exposed, and what are attackers doing with them right now against your business systems?

17B+ compromised account records now searchable in Have I Been Pwned — from 971 breached sites HaveIBeenPwned.com, 2026
$10 average price of a stolen credential on criminal markets — less than a lunch Verizon DBIR 2025
971 breached sites indexed — including PayPal and Under Armour breached in 2025–2026 HaveIBeenPwned.com, 2026

What breaches have happened recently that may affect your business

Data from old breaches doesn't expire. Stolen credentials circulate for years. But several significant breaches in the last six months are worth checking specifically because they're recent enough that many businesses haven't acted on them yet.

Under Armour — 72 million accounts, November 2025

Customer data from 72 million accounts was posted to a hacker forum following a November 2025 intrusion. HIBP obtained the dataset and notified affected users. If any employees use their work email for Under Armour accounts and reuse that password, those credentials may now be in active circulation.

PayPal — Working Capital loan application breach, July–December 2025

PayPal confirmed unauthorized access running from July through December 2025. Breach notification letters went out in February 2026. Finance team members who use PayPal for business payments and reuse passwords are at specific risk.

Panera Bread — approximately 5.1 million accounts

ShinyHunters claimed theft and leaked data analyzed by HIBP at approximately 5.1 million unique accounts. If any employee has a Panera account with their work email and reuses that password, it's a direct entry point into your business systems.

Synthient Credential Stuffing Lists — 2 billion records, 2025

Threat intelligence firm Synthient aggregated nearly 2 billion unique email addresses from credential stuffing lists circulating on criminal networks. This represents aggregated credential data from dozens of sources — making it more likely your employees appear in it than in any single-site breach.

Google discontinued its Dark Web Report monitoring tool in February 2026. If any team members were relying on Google's dark web monitoring for passive breach alerts, that protection is now gone — it stopped scanning on January 15, 2026 and was removed entirely on February 16. This is an active gap that needs to be replaced with HIBP alerts or another monitoring service.

The 60-second check — step by step

1

Check your own email address at haveibeenpwned.com

Start with yourself before asking anyone else to do this.
Go to haveibeenpwned.com, enter your work email address, and hit Enter. The result is immediate. If the page turns red, you'll see every breach your address appeared in, what data was exposed, and when. If it turns green, your address hasn't appeared in any publicly indexed breach — though this doesn't mean your passwords are safe, only that they haven't been found yet.
Critical note HIBP only shows email address exposure — not passwords directly. Never enter your actual password into any breach-checking website. HIBP's separate Pwned Passwords tool (haveibeenpwned.com/Passwords) checks whether a specific password has appeared in breaches using a privacy-preserving method that doesn't send your full password to their servers.
2

Set up free breach alerts for your domain

Get notified every time any address at your domain appears in a new breach.
HIBP offers a free domain monitoring service that notifies you whenever any email address at your company domain appears in a newly indexed breach. Go to haveibeenpwned.com/DomainSearch, enter your domain (e.g. yourcompany.com), and verify ownership via email. You'll receive notifications whenever a new breach includes an address at your domain — replacing the Google Dark Web Report protection that was removed in February 2026.
Do this today This single five-minute setup gives you continuous passive monitoring for your entire company domain. Most businesses don't have this in place.
3

Ask your team to check their own addresses

Both work AND personal email addresses used for work accounts.
The breach risk isn't limited to official work email addresses. If any employee has ever used a personal Gmail or Yahoo address to sign up for a work-related tool, that address may contain work-related credentials that have been breached. Ask your team to check both their work email and any personal email they've used for work-related accounts.
Frame it correctly Don't present this as a security audit of your employees. Present it as useful information about their own personal security — because it is. Employees who discover their personal email is in breach databases are motivated to change their habits in a way that policy documents never achieve.
4

Act on what you find — with a specific priority order

Finding a breach is the start of a process, not the end.
Priority 1 — Same-day action If the breached password is still in use anywhere — especially on any business system, your email, or any account with financial access — change it immediately on every site where it was used.
Priority 2 — This week Enable MFA on every account associated with the breached email address. If the email account itself doesn't have MFA, it's a master key for password resets on every other account.
Priority 3 — This month Move unique passwords into a business password manager so the reuse problem can't recur. Every breach you find is a symptom of the same underlying habit — the fix is structural, not a one-time password change.

What the results actually mean — and what they don't

Green — "No pwnage found"
Your email address hasn't appeared in any publicly indexed breach in HIBP's database. Good news — but not a guarantee. HIBP indexes known public breaches. Private dumps and undisclosed incidents won't appear. If you're seeing suspicious login attempts or unexpected password reset emails, treat those as signals regardless of HIBP's result.
Red — "Oh no — pwned!"
Your address appeared in one or more breaches. The list shows which sites, when, and what data was exposed. If the breach included passwords still in use anywhere — especially on business systems — treat them as compromised. Don't assume old breaches don't matter. Credentials from 2019 are still being tested against business systems today.
The most dangerous assumption after a green result: "We're safe." HIBP is comprehensive but not exhaustive. In January 2025 alone, 71 million email addresses from stealer logs were added to HIBP — logs that had been circulating on criminal markets for months before being indexed. The gap between a credential being stolen and appearing in HIBP can be weeks or months. Continuous monitoring, not one-time checking, is what actually closes this window.

The check your business should be running continuously — not once

A one-time breach check is better than nothing. It's not a security posture. The same way a casino doesn't check the surveillance footage once and then stop watching, credential exposure monitoring needs to be continuous — because new breaches are added to HIBP's database regularly, and the exposure from last month's breach reaches criminal markets this month.

The practical setup for an SMB is a three-layer approach: HIBP domain alerts for passive continuous monitoring, a business password manager to eliminate reuse, and MFA on every system so that even a known-breached credential can't be used without a second factor. None of these are expensive. All of them are available today. And the check that starts it all takes 60 seconds.

Platforms like Veriti Spottr surface your credential exposure as part of a continuous outside-in assessment — identifying which of your email domains appear in known breach databases as part of the same scan that looks at your open ports, your email authentication records, and your unpatched systems. Credential exposure doesn't live in isolation from your other attack surface. Knowing the whole picture is what makes the 60-second check part of a strategy rather than a one-time reaction.

The 60 seconds you owe your business

Your credentials may already be for sale. They may already be in active use against your systems. The average business takes 292 days to detect a breach originating from stolen credentials — 292 days of an attacker operating inside their systems with a valid login nobody knows is compromised.

haveibeenpwned.com. Your work email address. Enter. Sixty seconds.

That's the starting point. Everything else — the password manager, the MFA, the domain monitoring, the continuous scanning — builds from knowing what you're already exposed to. You can't fix what you don't know is broken. And right now, you have no excuse not to know.

See your full credential and attack surface exposure — not just what HIBP shows. Veriti Spottr's beta is free.

Join the free beta →
VS
Veriti Spottr Team AI-powered cyber risk clarity for SMBs  ·  veritispottr.com

Comments

Post a Comment

Popular posts from this blog

Your Password Policy Isn't Protecting You. Your Employees' Habits Are.

-
Image
Thought Leadership Credential Risk May 2026  ·  8 min read 94% of leaked passwords are reused or duplicated. Employees reuse the same password an average of 13 times. And by 2026, nearly half of all successful cyberattacks on SMBs will originate from credential reuse. Most businesses have a password policy. Almost none have visibility into whether anyone follows it. Think about the password you use for your personal email. Now think about whether any of your employees use that same password — or a variation of it — to log into your business systems. You don't know. And that uncertainty is the problem. In 2024, a security researcher analyzed 19.03 billion leaked passwords from breach databases and found that only 6% were unique. The other 94% had been used before — on another account, at another company, in another breach. Every one of those reused credentials is a master key that attackers test systematically...
Read more

What Attackers Do With Your Data in the First 60 Minutes

-
Image
Thought Leadership Incident Response May 2026  ·  8 min read In 2025, the fastest attacks moved from stolen credential to complete data exfiltration in 72 minutes — 4x faster than the year before. Most businesses discover breaches 292 days later. Here is exactly what an attacker does in that window — and what it means for your business before anyone has noticed. At 11:43pm on a Tuesday, an automated tool tests a stolen credential against your email platform. It matches. A session token is issued. In the next 72 minutes — while you sleep, while your team sleeps, while your IT provider sleeps — a sequence of events unfolds that will take your business an average of 292 days to discover. This is not a hypothetical. The 2026 Unit 42 Global Incident Response Report — Palo Alto Networks' annual analysis drawn from hundreds of real-world breach investigations — found that the fastest 25% of attacks in 2025 reached full da...
Read more

Your Biggest Cyber Risk Isn't Outside Your Firewall. It's on Your Payroll.

-
Image
Thought Leadership Insider Threat May 2026  ·  8 min read Most small businesses invest in perimeter security and assume the threat is outside. The data tells a different story. The most financially damaging cyber incidents don't break through your defenses — they walk past them, using legitimate access your own employees already have. In May 2025, Coinbase discovered that cyber attackers had recruited a group of their own customer support agents — employees with legitimate system access — and bribed them to hand over customer data. The attackers then used that data to impersonate Coinbase representatives, manipulating customers into sending them cryptocurrency. When the attackers contacted Coinbase demanding a $20 million ransom, the company refused to pay. The total cost — including customer reimbursements, security upgrades, and regulatory response — ran significantly higher. Coinbase isn't a naive startup. They're one of...
Read more