What “Have I Been Pwned Not Working” Usually Means
If you are trying to check an email address or domain on Have I Been Pwned (HIBP) and the site will not load, returns an error, or blocks your request, the cause is usually not the service itself.
Most issues come from browser problems, network filters, rate limits, DNS resolution, or API authentication mistakes.
This guide explains how to fix Have I Been Pwned not working on browsers, mobile devices, and API-based tools, so you can get accurate breach data without guessing.
Check Whether the Problem Is on Your Side
Before changing settings, confirm whether HIBP is actually down or whether your device, browser, or network is the issue.
A quick test saves time and prevents unnecessary troubleshooting.
- Open the main HIBP website in a different browser.
- Try from a different device on the same network.
- Switch from Wi‑Fi to mobile data.
- Check a public status service or social feed for outage reports.
If HIBP works elsewhere, the problem is local.
If it fails everywhere, wait a bit and retry after the service recovers.
Clear Browser Cache, Cookies, and Site Data
Corrupted cache or stale cookies can break page loading, sign-in sessions, and form submissions.
This is one of the most common fixes when Have I Been Pwned does not load correctly.
What to clear
- Cached images and files
- Cookies for haveibeenpwned.com
- Local storage or site data
After clearing data, fully close the browser and reopen it.
Then test HIBP again in a fresh session.
Disable Extensions That Interfere With the Site
Privacy tools, script blockers, ad blockers, and aggressive security extensions can stop search forms, buttons, or embedded scripts from working.
HIBP is a legitimate security service, but some browser add-ons still classify it as suspicious because it handles breach-related data.
Temporarily disable extensions such as:
- Ad blockers
- Script blockers
- Tracker blockers
- Password manager browser add-ons
- Anti-fingerprinting tools
If the site works after disabling an extension, re-enable them one by one to identify the conflict.
You can then whitelist the HIBP domain.
Try a Different Browser or Private Window
Browser settings and stored sessions can create hard-to-find problems.
Testing in a private or incognito window helps rule out cache, extension, and cookie issues at the same time.
Also try a different browser engine:
- Chrome or Chromium-based browsers
- Mozilla Firefox
- Microsoft Edge
- Safari on macOS or iOS
If HIBP works in one browser but not another, the issue is usually browser configuration, not the site.
Review DNS and Network Filtering
Some networks block security, privacy, or reputation-related sites.
Corporate firewalls, school networks, DNS filters, and antivirus web protection can prevent HIBP from loading or can break its API endpoints.
Common network causes
- Filtered DNS from a router, ISP, or security suite
- Firewall rules that block unknown HTTPS traffic
- Antivirus “web shield” or “safe browsing” features
- Enterprise proxies that inspect TLS connections
To test this, use another network.
If HIBP loads on mobile data but not on your home or office connection, inspect router DNS settings or security software.
Public DNS resolvers such as Google Public DNS or Cloudflare DNS may help, provided your organization allows them.
Make Sure You Are Using the Correct HIBP Page or API Endpoint
There are multiple HIBP workflows, and each has different requirements.
A search page issue is not the same as an API issue, and an account login problem is different from a public breach lookup issue.
- Public breach search: used for checking email addresses
- Domain search: requires validation and the proper account setup
- API access: requires a valid API key and correct headers
- Password-related features: may require additional verification
If you are using a script or integration, verify that the endpoint URL, request method, and headers match the current HIBP API documentation.
Small mistakes often appear as “not working” even when the service is healthy.
Fix API Authentication and Rate Limit Issues
Developers and security teams often hit problems that look like site outages but are really API errors.
Have I Been Pwned uses request throttling and expects valid authentication, so repeated calls can fail if your integration is misconfigured.
Check these API basics
- Confirm your API key is active and copied correctly
- Use the required
User-Agentheader - Respect rate limits and retry policies
- Handle HTTP status codes properly
- Verify you are sending the exact email or password prefix format the endpoint expects
If your tool sends too many requests too quickly, back off and retry later.
Many HIBP API failures are temporary rate-limit responses, not permanent errors.
Update Your Browser, App, or Script
Outdated software can cause TLS handshake errors, JavaScript failures, or API incompatibilities.
This is especially common on older devices, outdated Linux distributions, and legacy browser builds.
Update:
- Your browser to the latest stable version
- Any password manager or security app interacting with HIBP
- Libraries used in scripts, such as HTTP clients and TLS packages
- Operating system security patches
Many modern websites depend on current TLS standards and updated certificate stores.
If those are stale, the site may appear broken.
Check Time, Date, and Certificate Settings
Incorrect system time can cause certificate validation errors, which may prevent secure connections to HIBP.
This is a subtle but real issue on desktops, servers, and mobile devices that have drifted from accurate time.
- Set the date and time automatically
- Confirm your timezone is correct
- Make sure system certificates are up to date
If the browser reports a certificate warning or refuses to connect, correct time settings before trying anything else.
Why the Site Loads but Search Results Fail
Sometimes the homepage works, but searches return no response or an error.
In that case, the problem is usually form submission, client-side JavaScript, or a temporary service constraint.
Look for these signs:
- The search box does nothing after clicking submit
- Results spin endlessly
- An error message appears after entering an email
- The page loads but data never appears
Clear site data, disable extensions, and test in a private window first.
If the problem continues, inspect your network for JavaScript blocking or content filtering.
When HIBP Is Working but Your Data Is Not Showing
Not every “not working” case is a technical problem.
In some cases, the email address has not appeared in known breaches, the domain search is not validated, or the exact input is formatted incorrectly.
Double-check:
- The email address spelling
- Whether aliases or plus-addressing are being used
- Whether the domain has been verified for domain search
- Whether you are checking the right identity, such as a personal versus work address
For better accuracy, compare the result across the website and your own API implementation if both are available.
Practical Reset Steps That Solve Most Cases
If you want the fastest path to fixing Have I Been Pwned not working, use this sequence:
- Open HIBP in a private window.
- Try a different browser.
- Disable extensions temporarily.
- Clear cache and cookies for the site.
- Switch networks or test mobile data.
- Check DNS, firewall, or antivirus filtering.
- Verify API key, headers, and rate limits if you use automation.
This order catches the most common causes without wasting time on advanced diagnostics too early.
When to Escalate the Problem
If HIBP still fails after local troubleshooting, the issue may involve your ISP, enterprise security stack, or a broader service disruption.
For API integrations, review logs for status codes, timestamps, and request IDs so you can isolate whether the failure is authentication, throttling, or connectivity-related.
For persistent browser issues on managed devices, contact your IT administrator and mention the HIBP domain, the exact error message, your browser version, and whether the problem happens on multiple networks.
Accurate details help distinguish between a blocked security site, a broken browser session, and a temporary service issue.