Have I Been Pwned Has a Free API — Check If Any Email Was in a Data Breach

In 2024, a breach exposed 26 billion records. Your email is probably in at least one breach. Have I Been Pwned (HIBP) lets you check — and their password API is completely free. No key needed. The APIs HIBP has two types of access: Password API — Free, no key, unlimited Email breach API — Requires paid key ($3.50/month) or use the free website Let's focus on what's free. 1. Check Passwords Without Sending Them (k-Anonymity) This is brilliant: you send only the first 5 characters of the SHA-1 hash. HIBP returns all matching hashes. Your password never leaves your machine. import hashlib import requests def check_password ( password ): """ Check if a password has been in a data breach. Uses k-anonymity: only first 5 chars of hash are sent. """ sha1 = hashlib . sha1 ( password . encode ( ' utf-8 ' )). hexdigest (). upper () prefix = sha1 [: 5 ] suffix = sha1 [ 5 :] resp = requests . get ( f ' https://api.pwnedpasswords.com/range/ { prefix } ' ) for line in resp . text . splitlines (): has