Frequently asked questions

What is a "breach" and where has the data come from?

A "breach" is an incident where data is inadvertently exposed in a vulnerable system, usually due to insufficient access controls or security weaknesses in the software. BreachDirectory aggregates breaches and enables people to assess where their personal data has been exposed.

Can I send users their exposed passwords?


How are breahces added to breachdirectory?

  1. Breach is identified through scraping news sites, data breach reporting sites, and forums.
  2. Breach data is found, downloaded, and confirmed using artificial intelligence.
  3. Artificial intelligence is used to decompress and parse the data and bad/incomplete entries are automatically removed.
  4. Passwords, emails, and usernames are identified and the following information is imported into the BreachDirectory database: first 4 characters of each passwords, SHA-1 hash of each password, length of each passwords, usernames, and emails.

Why do I see my username as breached on a service I never signed up to?

When you search for a username that is not an email address, you may see that name appear against breaches of sites you never signed up to. Usually this is simply due to someone else electing to use the same username as you usually do. Even when your username appears very unique, the simple fact that there are several billion internet users worldwide means there's a strong probability that most usernames have been used by other individuals at one time or another.

Why do I see my email address as breached on a service I never signed up to?

When you search for an email address, you may see that address appear against breaches of sites you don't recall ever signing up to. There are many possible reasons for this including your data having been acquired by another service, the service rebranding itself as something else or someone else signing you up.

Can a breach be removed against my email address after I've changed the password?

BreachDirectory provides a record of which breaches an email address has appeared in regardless of whether the password has consequently been changed or not. The fact the email address was in the breach is an immutable historic fact; it cannot later be changed. If you don't want any breach to publicly appear against the address, contact me.

How can I submit a data breach?

If you've come across a data breach which you'd like to submit, get in touch with me. Check out what's currently loaded into BreachDirectory on the breached data wells first if you're not sure whether the breach is already in the system.