Have I Been Pwned (HIBP) is more than a breach lookup tool—it can help you build a repeatable checklist for finding exposed accounts, prioritizing risk, and taking action quickly.
This guide shows how to create a checklist with Have I Been Pwned so you can verify exposure, secure accounts, and reduce the chance of repeat incidents.
What Have I Been Pwned does?
Have I Been Pwned is a breach notification service created by security researcher Troy Hunt.
It aggregates publicly reported data breaches and lets users check whether an email address, password, or domain has appeared in known leaks.
For personal use, HIBP helps you identify which accounts may need immediate attention.
For organizations, it can support a broader exposure review by checking company email domains and mapping findings to affected systems, users, and password resets.
The service is especially useful because it gives you a starting point.
Instead of guessing which accounts might be at risk, you can build a checklist around verified evidence.
Why a checklist is useful
A breach notification alone does not solve the problem.
Once an email address appears in a data breach, you need a consistent process to verify the account, secure it, and monitor for follow-up issues.
A checklist helps you:
- avoid missing critical accounts
- prioritize high-risk logins such as email, banking, and cloud services
- standardize incident response steps
- track whether passwords, MFA, and recovery options were updated
- document actions for personal or organizational security records
This is especially valuable if you manage many online accounts, support a family or small team, or handle security for a business with multiple employees.
How to create a checklist with Have I Been Pwned
The best way to create a checklist with Have I Been Pwned is to divide the process into four phases: identify, validate, fix, and monitor.
Each phase turns a breach result into specific actions.
1. Identify exposed email addresses and domains
Start by checking the primary email addresses you use most often.
If you are an individual, focus on your main inbox, backup email, and any addresses tied to financial or administrative accounts.
If you are a business, check the domain used by employees, contractors, and shared service accounts.
Record each address or domain in your checklist and note whether HIBP reports a breach, a paste exposure, or a password-related event.
This creates a simple inventory you can use to prioritize follow-up steps.
2. Validate the type of exposure
Not every HIBP result requires the same response.
Some breaches expose only email addresses, while others may include hashed passwords, usernames, phone numbers, or other personal data.
The more sensitive the data, the higher the urgency.
Add a field in your checklist for breach details such as:
- breach name
- date of breach
- data exposed
- whether the account still exists
- whether the password may have been reused elsewhere
Knowing what was exposed helps you decide whether to reset a password immediately, review account activity, or contact the service provider.
3. Prioritize the accounts that matter most
Once you know which addresses were exposed, rank accounts by impact.
Email and password managers should come first because they can unlock password resets for other services.
After that, move to banking, payroll, cloud storage, social media, and shopping accounts that store payment details.
A practical priority order looks like this:
- Primary email accounts
- Password manager and MFA recovery accounts
- Financial services and payment platforms
- Work-related SaaS tools and admin consoles
- Social media, marketplaces, and subscription services
Adding a priority field keeps your checklist focused and prevents less important accounts from distracting you from urgent ones.
4. Secure the account and close the exposure window
After exposure is confirmed, take action on the account itself.
For each item in the checklist, include steps for remediation and verification.
In most cases, that means changing the password, checking for unauthorized logins, and enabling multifactor authentication (MFA) if it is not already active.
Your checklist should also include these tasks:
- replace reused passwords with unique credentials
- revoke active sessions and device tokens
- update account recovery email and phone number
- verify security questions are not publicly guessable
- check forwarding rules in email accounts
- review connected apps and third-party access
For businesses, add a confirmation step that IT or security staff verified remediation for each user account.
What to include in your checklist
A useful HIBP-based checklist should be simple enough to use repeatedly but detailed enough to support action.
The following fields work well in a spreadsheet, ticketing system, or password manager notes.
- Account name
- Email address or username
- Breach name
- Breach date
- Exposure type
- Risk level
- Required action
- Status
- Completion date
- Follow-up owner
If you want a cleaner workflow, group the checklist by severity: critical, high, medium, and low.
This makes it easier to handle urgent accounts first and avoid overloading the process.
How to use the HIBP website effectively
The public HIBP website is designed for quick lookups, but it can still support a structured checklist process.
Search each relevant email address and review the breach history carefully.
If the service shows multiple breaches, note them separately rather than treating them as one event.
Pay attention to whether the exposure is recent or old.
Older breaches still matter if the same password was reused, but recent breaches can indicate active risk.
If the account is still in use and the breached password is still valid elsewhere, immediate action is warranted.
HIBP also provides additional tools such as password checking and domain search features.
These can be useful when you are building a broader security review around your checklist.
Using Have I Been Pwned for business security
For organizations, creating a checklist with Have I Been Pwned is often part of a larger identity and access management process.
A domain search can help identify whether employee addresses appear in known breaches, which may signal credential reuse or increased phishing risk.
Businesses should connect the results to specific control actions:
- force password resets for affected accounts
- require MFA enrollment
- review privileged access accounts first
- notify affected employees with clear instructions
- check for signs of account takeover
- document remediation for compliance audits
Security teams can also use the results to improve awareness training.
If many users appear in the same breach, that may indicate weak password habits or a need for stronger enforcement of password policies.
Common mistakes to avoid
HIBP is powerful, but a checklist is only effective if it is used correctly.
One common mistake is assuming that a breach result means the account is compromised right now.
Exposure is a warning, not proof of active takeover.
Other mistakes include:
- changing only one password while leaving reused passwords unchanged elsewhere
- failing to enable MFA after a breach
- ignoring old breach records because they seem outdated
- not checking recovery channels and backup codes
- leaving completed items undocumented, which makes follow-up harder
Another error is treating personal and work accounts the same.
Business accounts often require additional steps such as manager approval, IT verification, and incident reporting.
Example of a simple HIBP checklist workflow
Here is a practical workflow you can adapt:
- Search the email address on Have I Been Pwned.
- Record each breach and the data exposed.
- Assign a risk level based on account importance and data sensitivity.
- Reset the password and replace reused credentials.
- Enable or verify MFA.
- Revoke sessions and review account activity.
- Check recovery methods, connected apps, and email forwarding rules.
- Mark the item complete and schedule a follow-up review.
This sequence is easy to repeat and works well for both personal security and small-team processes.
Keeping the checklist updated
Because new breaches are reported regularly, a checklist should be reviewed on a schedule.
Monthly or quarterly reviews are often enough for individuals, while businesses may need more frequent checks depending on risk and compliance requirements.
Set reminders to review high-value accounts, update remediation status, and add any newly discovered breaches.
If you use a password manager, pair the checklist with strong unique passwords so future exposure has less impact.
When used consistently, Have I Been Pwned becomes a practical input to a living security checklist rather than a one-time search.
That is what makes the process valuable: it turns breach data into measurable action.