Check in One Simple Step if Your Email Has Been Exposed in a Data Breach

• Share on
• 
• 
• 

Most people treat old data breaches as yesterday’s problem. If the breach happened years ago, it’s easy to assume the risk’s passed. Right?

It hasn’t.

Stolen data can be copied, sold, and reused long after the original breach. That matters because old email addresses, usernames, and passwords are often tested against current accounts.

Luckily, you can run a quick email breach check at a site called Have I Been Pwned to see whether your details have been exposed. 

In this article, we’ll explain what that check means, why old breaches still matter, and what to do if your email address appears.

What Have I Been Pwned does

Have I Been Pwned is a free website. Enter an email address, and it checks whether that address appeared in any known data breach. If it has, you’ll usually see:

• Which breach exposed your data
• What type of information was involved (passwords, usernames, phone numbers, dates of birth)

This doesn’t automatically mean someone is inside your account right now, or that your current password was stolen. But it does mean your details were exposed once, and that’s enough to act on.

For a business, this email breach check is useful as a quick warning sign. If a work email has appeared in a breach, that account deserves attention. If several staff addresses appear, it’s worth reviewing password habits and multi-factor authentication across the business.

Pro tip: Check more than just your own email. If you manage IT for a small team, run your key staff addresses through the tool too (particularly finance staff, directors, and anyone with admin access).

Why old breaches still matter

An old breach can create a current security risk.

The LinkedIn breach is an (in)famous example. It was originally hacked in 2012, but the data stayed largely hidden until it was offered for sale in 2016, exposing around 117 million email addresses and passwords. 

Someone might have changed jobs or moved to Microsoft 365 years later, but if they reused the same password, that old breach data could still open doors today.

This is why password reuse is so dangerous. 

Criminals don’t guess from scratch. They take email and password combinations from one breached service and test them against others: cloud storage, accounting software, email accounts, admin portals. This is called credential stuffing, and it’s largely automated.

For small businesses, the risk often starts somewhere ordinary:

• A staff member uses the same password for LinkedIn, personal email, and their work account
• Years later, an attacker finds the exposed password in a breach database
• They try it against Microsoft 365
• Without multi-factor authentication, the account is open

The breach is old. The risk isn’t.

Pro tip: Even if a password has been changed since a breach, check whether the same password (or a variation of it) is still in use elsewhere. Attackers know that people tend to add a number or symbol to an old password rather than replace it entirely.

What this means for your business

If an attacker gets into a staff inbox, the consequences go well beyond that one account. From a compromised email, they can:

• Read customer emails and harvest sensitive information
• Reset passwords for other services linked to that inbox
• Access shared files and cloud storage
• Send convincing messages from a trusted account to customers or suppliers
• Request payments or attempt to redirect bank details

Because the message comes from a real business email address, it looks far more believable than a standard phishing attempt.

This is why breach checks shouldn’t be treated as a personal security task. If your team uses email, cloud tools, shared documents, or finance systems, exposed credentials become a business risk.

Pro tip: Microsoft 365 sign-in logs can show you whether anyone has logged into a work account from an unfamiliar location or device. If you’ve never checked these, it’s worth a look (especially for any account that appears in a breach).

If your email appears in a breach

Don’t ignore it. Here’s what to do:

• Change reused passwords immediately. Every account should have its own unique password. If the breached account used a password you’ve also used elsewhere, those need to change too.
• Turn on 2FA or MFA. Two-factor authentication adds another step when signing in — usually a code, app prompt, or passkey. A stolen password alone won’t be enough. Prioritise this for Microsoft 365, email, finance tools, and cloud storage.
• Check recent sign-in activity. Look for unfamiliar locations, devices, failed sign-in attempts, or any signs of unauthorised access.
• Think about where that email is connected. Cloud storage, accounting software, CRM tools, supplier accounts. If the same password was used anywhere else, those services need attention too.
• Tell your IT support provider. If this is a work email, your IT support provider can check sign-in logs, reset sessions, review security settings, and properly protect the account.

Building better security habits

A breach check takes a minute. The value comes from what follows.

• Unique passwords for every account. A password manager removes the need to remember them all — staff just remember one strong master password.
• MFA wherever possible, especially for Microsoft 365, email, finance tools, and admin accounts.
• Security keys for higher-risk users — directors, finance staff, office managers. These physical devices confirm the person signing in is genuine, even if their password has been stolen.
• Review your password policy. Forcing staff to change passwords every few weeks tends to produce worse habits, not better ones. Long, unique passwords stored in a manager, protected by MFA, are more secure than frequently rotated ones.
• Build breach checks into onboarding. When new staff join, check whether their work email has appeared in a known breach before giving them access to key systems.

Pro tip: The National Cyber Security Centre’s password guidance is free, practical, and written for organisations rather than security specialists. Well worth sharing with anyone who manages staff accounts.

How we can help

Changing one password may deal with the immediate issue, but it won’t always tell you whether the account has been accessed, whether other services are exposed, or whether your Microsoft 365 setup is strong enough to reduce the risk of it happening again.

Operum Tech can help you:

• Review Microsoft 365 sign-in activity for suspicious attempts, unfamiliar locations, and other warning signs
• Secure exposed work accounts by resetting passwords, revoking active sessions, and checking for unauthorised forwarding rules
• Improve MFA setup across key accounts and help staff move away from reused passwords
• Add extra protection for higher-risk users, including directors, finance staff, office managers, and administrators
• Build safer account security into staff onboarding, offboarding, and regular IT reviews

Old breach data only becomes a business problem when it still works somewhere. 

Get in touch and we’ll help you close the gaps before attackers can use them.