Chrome Check Email Breaches (2026)

Last updated: April 17, 2026

Data breaches have become a routine threat in our connected world. When websites get hacked, millions of email addresses and passwords can leak onto the dark web. As a developer or power user, you need efficient ways to check whether your email has been exposed. This guide covers practical methods to check email breaches using Chrome and related developer tools.

Understanding Email Breach Data

Before diving into the methods, it’s worth understanding where breach data lives. Services like Have I Been Pwned (HIBP) aggregate breach data from various sources and make it searchable through APIs. Chrome extensions and custom scripts can tap into these databases to alert you if your email appears in any known breaches.

The key resource here is the Have I Been Pwned API, which provides programmatic access to breach data. This is the same database that powers the popular haveibeenpwned.com website.

Method 1: Using Chrome Extensions

The quickest way to check email breaches directly in your browser is through Chrome extensions. Several reputable security-focused extensions integrate with HIBP and other breach databases.

Search for extensions like “Breach Alarm” or “Firefox Monitor” in the Chrome Web Store. These extensions typically work by:

Asking for permission to read your email (or letting you manually input addresses)
Checking the email against known breach databases
Displaying a notification with breach results

For developers who prefer command-line tools, the HIBP API offers a more flexible approach.

Method 2: Using the Have I Been Pwned API

The HIBP API provides a clean REST interface for checking breaches. Here’s how to use it effectively.

Checking a Single Email Address

You can use the GET /breachedaccount/{account} endpoint to check if an email appears in any breaches:

curl -H "hibp-api-key: YOUR_API_KEY" \
 "https://haveibeenpwned.com/api/v3/breachedaccount/[email protected]"

Note that the API key is required for this endpoint. You can obtain a key from the HIBP website for programmatic access.

Using the k-Anonymity Model

For privacy-conscious checking without an API key, use the password k-anonymity API. While primarily designed for password checking, you can adapt similar principles for email checking:

async function checkEmailBreaches(email) {
 // Hash the email with SHA-1
 const encoder = new TextEncoder();
 const data = encoder.encode(email.toLowerCase());
 const hashBuffer = await crypto.subtle.digest('SHA-1', data);
 const hashArray = Array.from(new Uint8Array(hashBuffer));
 const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
 
 const prefix = hashHex.substring(0, 5);
 const suffix = hashHex.substring(5);
 
 // Query HIBP with the prefix
 const response = await fetch(
 `https://api.pwnedpasswords.com/range/${prefix}`
 );
 const text = await response.text();
 
 // Check if our hash suffix appears in results
 const lines = text.split('\n');
 for (const line of lines) {
 const [hashSuffix, count] = line.split(':');
 if (hashSuffix.toUpperCase() === suffix) {
 return {
 breached: true,
 count: parseInt(count)
 };
 }
 }
 
 return { breached: false, count: 0 };
}

This approach sends only the first 5 characters of your SHA-1 hash to the server, keeping your actual email hash private.

Method 3: Building a Custom Breach Checker

For developers who want full control, building a custom breach checker gives you flexibility to integrate with your own systems.

Simple Node.js Implementation

Here’s a practical example using Node.js:

const https = require('https');
function checkBreach(email) {
 const emailLower = email.toLowerCase().trim();
 
 const options = {
 hostname: 'haveibeenpwned.com',
 path: `/api/v3/breachedaccount/${encodeURIComponent(emailLower)}?truncateResponse=false`,
 method: 'GET',
 headers: {
 'hibp-api-key': process.env.HIBP_API_KEY,
 'user-agent': 'MyBreachChecker/1.0'
 }
 };
 return new Promise((resolve, reject) => {
 const req = https.request(options, (res) => {
 let data = '';
 
 res.on('data', (chunk) => {
 data += chunk;
 });
 
 res.on('end', () => {
 if (res.statusCode === 200) {
 const breaches = JSON.parse(data);
 resolve({
 email: emailLower,
 breached: true,
 breachCount: breaches.length,
 breaches: breaches.map(b => ({
 name: b.Name,
 domain: b.Domain,
 breachDate: b.BreachDate,
 dataClasses: b.DataClasses
 }))
 });
 } else if (res.statusCode === 404) {
 resolve({
 email: emailLower,
 breached: false,
 breachCount: 0
 });
 } else {
 reject(new Error(`API returned ${res.statusCode}`));
 }
 });
 });
 req.on('error', reject);
 req.end();
 });
}
// Usage
checkBreach('[email protected]')
 .then(result => {
 if (result.breached) {
 console.log(`Found ${result.breachCount} breaches:`);
 result.breaches.forEach(b => {
 console.log(`- ${b.name} (${b.domain})`);
 console.log(` Compromised: ${b.dataClasses.join(', ')}`);
 });
 } else {
 console.log('No breaches found.');
 }
 })
 .catch(console.error);

Storing Results for Monitoring

If you’re building a monitoring system, consider storing results in a database:

const { Client } = require('pg');
async function logBreachCheck(email, result) {
 const client = new Client({
 connectionString: process.env.DATABASE_URL
 });
 
 await client.connect();
 
 await client.query(
 `INSERT INTO breach_checks (email, breached, breach_count, checked_at)
 VALUES ($1, $2, $3, NOW())`,
 [email, result.breached, result.breachCount]
 );
 
 await client.end();
}

Method 4: Using Chrome DevTools Protocol

For advanced automation, you can use Chrome DevTools Protocol to build a headless breach checker:

const { chromium } = require('playwright');
async function automatedBreachCheck(email) {
 const browser = await chromium.launch({ headless: true });
 const page = await browser.newPage();
 
 // Navigate to HIBP (manual check page)
 await page.goto('https://haveibeenpwned.com/');
 
 // Fill in the email (note: this is for demonstration)
 await page.fill('#account', email);
 await page.click('#search');
 
 // Wait for results
 await page.waitForSelector('.result, .no-results');
 
 const resultText = await page.textContent('.result, .no-results');
 
 await browser.close();
 
 return resultText;
}

This method is slower than API calls but useful if you need to check without API access.

Automating Regular Checks

For ongoing monitoring, set up scheduled checks using cron jobs or GitHub Actions:

.github/workflows/breach-check.yml
name: Weekly Breach Check
on:
 schedule:
 - cron: '0 0 * * 0' # Weekly on Sunday
 workflow_dispatch:
jobs:
 check:
 runs-on: ubuntu-latest
 steps:
 - uses: actions/checkout@v3
 - name: Run breach check
 env:
 HIBP_API_KEY: ${{ secrets.HIBP_API_KEY }}
 run: node check-breaches.js

Best Practices

When checking for email breaches, keep these security practices in mind:

Use API keys properly. Store your HIBP API key in environment variables, never commit it to repositories. Use GitHub Secrets or similar secure storage for CI/CD pipelines.

Limit query frequency. The HIBP API has rate limits. Space out your queries to avoid throttling.

Monitor multiple emails. If you manage multiple accounts, create a system to track all of them. Consider using a password manager that includes breach monitoring.

Respond to breaches found. If you discover your email in a breach, change passwords immediately, enable two-factor authentication, and check for any suspicious account activity.

Conclusion

Checking whether your email has appeared in data breaches is a straightforward process with the right tools. Whether you prefer browser extensions for quick checks, the HIBP API for programmatic access, or custom-built solutions for full control, you have options suited for different scenarios.

For developers, integrating breach checking into your security tooling provides valuable monitoring capabilities. The methods covered here range from simple one-off checks to automated monitoring systems. Choose the approach that fits your needs and stay ahead of potential security threats.

Try it: Paste your error into our Error Diagnostic for an instant fix.

I'm a solo developer in Vietnam. 50K Chrome extension users. $500K+ on Upwork. 5 Claude Max subscriptions running agent fleets in parallel. These are my actual CLAUDE.md templates, orchestration configs, and prompts. Not a course. Not theory. The files I copy into every project before I write a line of code. **[See what's inside →](https://zovo.one/lifetime?utm_source=ccg&utm_medium=cta-default&utm_campaign=chrome-check-email-breaches)** $99 once. Free forever. 47/500 founding spots left.