How to Fix Have I Been Pwned Not Working: 2026 Troubleshooting Guide

Written by: Abigail Ivy
Published on:

What “Have I Been Pwned Not Working” Usually Means

If you are trying to check an email address or domain on Have I Been Pwned (HIBP) and the site will not load, returns an error, or blocks your request, the cause is usually not the service itself.

Most issues come from browser problems, network filters, rate limits, DNS resolution, or API authentication mistakes.

This guide explains how to fix Have I Been Pwned not working on browsers, mobile devices, and API-based tools, so you can get accurate breach data without guessing.

Check Whether the Problem Is on Your Side

Before changing settings, confirm whether HIBP is actually down or whether your device, browser, or network is the issue.

A quick test saves time and prevents unnecessary troubleshooting.

  • Open the main HIBP website in a different browser.
  • Try from a different device on the same network.
  • Switch from Wi‑Fi to mobile data.
  • Check a public status service or social feed for outage reports.

If HIBP works elsewhere, the problem is local.

If it fails everywhere, wait a bit and retry after the service recovers.

Clear Browser Cache, Cookies, and Site Data

Corrupted cache or stale cookies can break page loading, sign-in sessions, and form submissions.

This is one of the most common fixes when Have I Been Pwned does not load correctly.

What to clear

  • Cached images and files
  • Cookies for haveibeenpwned.com
  • Local storage or site data

After clearing data, fully close the browser and reopen it.

Then test HIBP again in a fresh session.

Disable Extensions That Interfere With the Site

Privacy tools, script blockers, ad blockers, and aggressive security extensions can stop search forms, buttons, or embedded scripts from working.

HIBP is a legitimate security service, but some browser add-ons still classify it as suspicious because it handles breach-related data.

Temporarily disable extensions such as:

  • Ad blockers
  • Script blockers
  • Tracker blockers
  • Password manager browser add-ons
  • Anti-fingerprinting tools

If the site works after disabling an extension, re-enable them one by one to identify the conflict.

You can then whitelist the HIBP domain.

Try a Different Browser or Private Window

Browser settings and stored sessions can create hard-to-find problems.

Testing in a private or incognito window helps rule out cache, extension, and cookie issues at the same time.

Also try a different browser engine:

  • Chrome or Chromium-based browsers
  • Mozilla Firefox
  • Microsoft Edge
  • Safari on macOS or iOS

If HIBP works in one browser but not another, the issue is usually browser configuration, not the site.

Review DNS and Network Filtering

Some networks block security, privacy, or reputation-related sites.

Corporate firewalls, school networks, DNS filters, and antivirus web protection can prevent HIBP from loading or can break its API endpoints.

Common network causes

  • Filtered DNS from a router, ISP, or security suite
  • Firewall rules that block unknown HTTPS traffic
  • Antivirus “web shield” or “safe browsing” features
  • Enterprise proxies that inspect TLS connections

To test this, use another network.

If HIBP loads on mobile data but not on your home or office connection, inspect router DNS settings or security software.

Public DNS resolvers such as Google Public DNS or Cloudflare DNS may help, provided your organization allows them.

Make Sure You Are Using the Correct HIBP Page or API Endpoint

There are multiple HIBP workflows, and each has different requirements.

A search page issue is not the same as an API issue, and an account login problem is different from a public breach lookup issue.

  • Public breach search: used for checking email addresses
  • Domain search: requires validation and the proper account setup
  • API access: requires a valid API key and correct headers
  • Password-related features: may require additional verification

If you are using a script or integration, verify that the endpoint URL, request method, and headers match the current HIBP API documentation.

Small mistakes often appear as “not working” even when the service is healthy.

Fix API Authentication and Rate Limit Issues

Developers and security teams often hit problems that look like site outages but are really API errors.

Have I Been Pwned uses request throttling and expects valid authentication, so repeated calls can fail if your integration is misconfigured.

Check these API basics

  • Confirm your API key is active and copied correctly
  • Use the required User-Agent header
  • Respect rate limits and retry policies
  • Handle HTTP status codes properly
  • Verify you are sending the exact email or password prefix format the endpoint expects

If your tool sends too many requests too quickly, back off and retry later.

Many HIBP API failures are temporary rate-limit responses, not permanent errors.

Update Your Browser, App, or Script

Outdated software can cause TLS handshake errors, JavaScript failures, or API incompatibilities.

This is especially common on older devices, outdated Linux distributions, and legacy browser builds.

Update:

  • Your browser to the latest stable version
  • Any password manager or security app interacting with HIBP
  • Libraries used in scripts, such as HTTP clients and TLS packages
  • Operating system security patches

Many modern websites depend on current TLS standards and updated certificate stores.

If those are stale, the site may appear broken.

Check Time, Date, and Certificate Settings

Incorrect system time can cause certificate validation errors, which may prevent secure connections to HIBP.

This is a subtle but real issue on desktops, servers, and mobile devices that have drifted from accurate time.

  • Set the date and time automatically
  • Confirm your timezone is correct
  • Make sure system certificates are up to date

If the browser reports a certificate warning or refuses to connect, correct time settings before trying anything else.

Why the Site Loads but Search Results Fail

Sometimes the homepage works, but searches return no response or an error.

In that case, the problem is usually form submission, client-side JavaScript, or a temporary service constraint.

Look for these signs:

  • The search box does nothing after clicking submit
  • Results spin endlessly
  • An error message appears after entering an email
  • The page loads but data never appears

Clear site data, disable extensions, and test in a private window first.

If the problem continues, inspect your network for JavaScript blocking or content filtering.

When HIBP Is Working but Your Data Is Not Showing

Not every “not working” case is a technical problem.

In some cases, the email address has not appeared in known breaches, the domain search is not validated, or the exact input is formatted incorrectly.

Double-check:

  • The email address spelling
  • Whether aliases or plus-addressing are being used
  • Whether the domain has been verified for domain search
  • Whether you are checking the right identity, such as a personal versus work address

For better accuracy, compare the result across the website and your own API implementation if both are available.

Practical Reset Steps That Solve Most Cases

If you want the fastest path to fixing Have I Been Pwned not working, use this sequence:

  1. Open HIBP in a private window.
  2. Try a different browser.
  3. Disable extensions temporarily.
  4. Clear cache and cookies for the site.
  5. Switch networks or test mobile data.
  6. Check DNS, firewall, or antivirus filtering.
  7. Verify API key, headers, and rate limits if you use automation.

This order catches the most common causes without wasting time on advanced diagnostics too early.

When to Escalate the Problem

If HIBP still fails after local troubleshooting, the issue may involve your ISP, enterprise security stack, or a broader service disruption.

For API integrations, review logs for status codes, timestamps, and request IDs so you can isolate whether the failure is authentication, throttling, or connectivity-related.

For persistent browser issues on managed devices, contact your IT administrator and mention the HIBP domain, the exact error message, your browser version, and whether the problem happens on multiple networks.

Accurate details help distinguish between a blocked security site, a broken browser session, and a temporary service issue.