Email Address Breach Summary and Analysis
WARNING: This service may be out of order!
Beware if 0 Breaches are consistently detected.
We are working to resolve the issueUse this free service to check if an email address is in any hacked data from known database breaches. Get a summary of what specific information may be at risk, critical personal identity alerts, a relative exposure rating and more. Results are shown immediately - no verification, upgrades or extra steps are required.
breach data from: Have I Been pwned?
Recent Global Data Breaches
Figure - 967,178 breached accounts In February 2026, data obtained from the fintech lending platform Figure was publicly posted online. The exposed data, dating back to January 2026, contained over 900k unique email addresses along with names, phone numbers, physical addresses and dates of birth. Figure confirmed the incident and attributed it to a social engineering attack in which an employee was tricked into providing access.
Canada Goose - 581,877 breached accounts In February 2026, a data breach allegedly containing data relating to Canada Goose customers was published publicly. The data contained 920k records with 582k unique email addresses and included names, phone numbers, IP addresses, physical addresses and partial credit card data, specifically card type and last 4 digits. Canada Goose advised that the data "appears to relate to past customer transactions" and stated that it originated from a breach at a third party in August 2025. The most recent transaction date in the data is July 2025.
University of Pennsylvania - 623,750 breached accounts In October 2025, the University of Pennsylvania was the victim of a data breach followed by a ransom demand, largely affecting its donor database. After the incident, the attackers sent inflammatory emails to some victims. The data was later published online in February 2026 and included 624k unique email addresses alongside names and physical addresses. For some donor records, additional personal information was exposed, including gender and date of birth. A small subset of records also contained religion, spouse name, estimated income and donation history.
APOIA.se - 450,764 breached accounts In December 2025, a database of the Brazilian crowdfunding platform APOIA.se was posted to an online forum. In January 2026, the company confirmed it had suffered a data breach. The incident exposed 451k unique email addresses along with names and physical addresses.
Toy Battles - 1,017 breached accounts In February 2026, the online gaming community Toy Battles suffered a data breach. The incident exposed 1k unique email addresses alongside usernames, IP addresses and chat logs. Following the breach, Toy Battles self-submitted the data to Have I Been Pwned.
Association Nationale des Premiers Secours - 5,600 breached accounts In January 2026, a data breach impacting the French non-profit Association Nationale des Premiers Secours (ANPS) was posted to a hacking forum. The breach exposed 5.6k unique email addresses along with names, dates of birth and places of birth. ANPS self-submitted the data to HIBP and advised the incident was traced back to a legacy system and did not impact health data, financial information or passwords.
Substack - 663,121 breached accounts In October 2025, the publishing platform Substack suffered a data breach that was subsequently circulated more widely in February 2026. The breach exposed 663k account holder records containing email addresses along with publicly visible profile information from Substack accounts, such as publication names and bios. A subset of records also included phone numbers.
Betterment - 1,435,174 breached accounts In January 2026, the automated investment platform Betterment confirmed it had suffered a data breach attributed to a social engineering attack. As part of the incident, Betterment customers received fraudulent crypto-related messages promising high returns if funds were sent to an attacker-controlled cryptocurrency wallet. The breach exposed 1.4M unique email addresses, along with names and geographic location data. A subset of records also included dates of birth, phone numbers, and physical addresses. In its disclosure notice, Betterment stated that the incident did not provide attackers with access to customer accounts and did not expose passwords or other login credentials.
Panera Bread - 5,112,502 breached accounts In January 2026, Panera Bread suffered a data breach that exposed 14M records. After an attempted extortion failed, the attackers published the data publicly, which included 5.1M unique email addresses along with associated account information such as names, phone numbers and physical addresses. Panera Bread subsequently confirmed that "the data involved is contact information" and that authorities were notified.
SoundCloud - 29,815,722 breached accounts In December 2025, SoundCloud announced it had discovered unauthorised activity on its platform. The incident allowed an attacker to map publicly available SoundCloud profile data to email addresses for approximately 20% of its users. The impacted data included 30M unique email addresses, names, usernames, avatars, follower and following counts and, in some cases, the user’s country. The attackers later attempted to extort SoundCloud before publicly releasing the data the following month.
Under Armour - 72,742,892 breached accounts In November 2025, the Everest ransomware group claimed Under Armour as a victim and attempted to extort a ransom, alleging they had obtained access to 343GB of data. In January 2026, customer data from the incident was published publicly on a popular hacking forum, including 72M email addresses. Many records also contained additional personal information such as names, dates of birth, genders, geographic locations and purchase information.
Raaga - 10,225,145 breached accounts In December 2025, data allegedly breached from the Indian streaming music service "Raaga" was posted for sale to a popular hacking forum. The data contained 10M unique email addresses along with names, genders, ages (in some cases, full date of birth), postcodes and passwords stored as unsalted MD5 hashes.
Pass'Sport - 6,366,133 breached accounts In December 2025, data from France's Pass'Sport program was posted to a popular hacking forum. Initially misattributed to CAF (the French family allowance fund), the data contained 6.5M unique email addresses affecting 3.5M households. The data also included names, phone numbers, genders and physical addresses. The Ministry of Sports subsequently released a statement acknowledging the incident.
Instagram - 6,215,150 breached accounts In January 2026, data allegedly scraped via an Instagram API was posted to a popular hacking forum. The dataset contained 17M rows of public Instagram information, including usernames, display names, account IDs, and in some cases, geolocation data. Of these records, 6.2M included an associated email address, and some also contained a phone number. The scraped data appears to be unrelated to password reset requests initiated on the platform, despite coinciding in timeframe. There is no evidence that passwords or other sensitive data were compromised.
BreachForums (2025) - 672,247 breached accounts In October 2025, a reincarnation of the hacking forum BreachForums, which had previously been shut down multiple times, was taken offline by a coalition of law enforcement agencies. In the months leading up to the takedown, the site itself suffered a data breach that exposed a total of 672k unique email addresses across all tables, including within forum posts and private messages. The users table alone contained 324k unique email addresses, usernames, and Argon2 password hashes.
WhiteDate - 20,363 breached accounts In December 2025, the dating website "for a Europid vision" WhiteDate suffered a data breach that was subsequently leaked online, initially exposing 6.1k unique email addresses. The leaked data included extensive personal information such as physical appearance, income, education and IQ. A more comprehensive dataset was later provided to HIBP, containing usernames, IP addresses, private messages, phpBB password hashes and a total of 20k unique email addresses.
WIRED - 2,364,431 breached accounts In December 2025, 2.3M records of WIRED magazine users allegedly obtained from parent company Condé Nast were published online. The most recent data dated back to the previous September and exposed email addresses and display names, as well as, for a small number of users, their name, phone number, date of birth, gender, and geographic location or full physical address. The WIRED data allegedly represents a subset of Condé Nast brands the hacker also claims to have obtained.
breach data from: Have I Been pwned? (HIBP)
Identity Theft and Security Resources
Official US Government Sites
- IdentityTheft.gov
- FTC Complaint Assistant
- FBI Internet Crime Complaint Center
- US Postal Inspection Service ID Theft Complaint
- IRS Taxpayer Victim Assistance
- HHS Health Information Breach Portal
- National Do Not Call Registry
Identity Security Tips and Guidelines
- FDIC Cybersecurity Awareness Basics
- FTC Identity Theft Consumer Information
- Identity Theft: What To Do If It Happens To You
- Protect Yourself from Identity Theft
- Protecting Your Social Security
- Spam "Unsubscribe" Services are a Scam
Fraud Information and Assistance Organizations
- ID Theft Resource Center
- Better Business Bureau
- Fraud.org
- Privacy Rights Clearinghouse
- Charity Watch
Credit Bureaus and Reporting
- Equifax
- Experian
- TransUnion
- Free credit report from annualcreditreport.com
