top of page

Have you been pwned?

Have you checked your email address to see if it’s been compromised? If your email has been "pwned", it means that the security of your account may be at risk.

The word "pwned" has its origins in video game culture and is a derivation of the word “owned”. It is typically used to imply that someone or something has been controlled or compromised.

Almost weekly there’s a new data breach on a website or service. Therefore it’s perhaps wise, from time to time, to check that your information has not been part of such a breach.

It could mean your passwords and email addresses have landed in the hands of cyber criminals. Hacking an account using your email address is possibly the first step of identity theft as there is typically a lot of sensitive information attached to your email account. For example, you might have linked your credit card information or some other important personal information with the same login credentials on another account.

If your email account does end up in the wrong hands, criminals can use your information to purchase goods in your name, and it can be used to spread malware or as a part of a botnet.

If you have reused the same password and email combination on other accounts, the person who has gained access to your information can use this to target these other profiles as well. Identity theft can cause you financial damage and legal problems.

There are many ways your email can be pwned. In addition to being part of a breach, your email account can be hacked through malware attacks on any of your devices, or through phishing scams.

To check if you have been pwned, visit the website Have I Been Pwned and enter in your email address. You can check your phone, too.

What should I do if it turns out my email address has been “pwned”?

Make sure your antivirus programs and operating systems are up to date

Malware is a major reason of personal information being acquired by criminals. Having up-to-date cyber security programs and operating systems on each of your devices is important in protecting your accounts from being pwned.

Software is regularly updated to prevent hackers from utilising its flaws and weaknesses. Not only do updates make software better, but they also make it more secure. Automatic updates can save you from a lot of trouble if you do not yet have them enabled. If updates require manual action, don’t ignore them. You may find them annoying, but updates are essential.

Scan your device for malware

If there is malware on your device, changing your password isn’t enough. The attacker may gain access to your new passwords through a keylogger, for example.

Before you change any passwords, scan your device for malware. You should regularly do this even if everything appears to be fine, because malware can be inconspicuous. Some malware can even deactivate your antivirus software, if it’s not powerful enough to prevent it.

Even if you know that your account was pwned through a massive breach, it is still a good idea to run a full scan. If the scan detects infection, concentrate on this issue first. If you already changed passwords, change them again. They might have already been compromised.

Now, change your passwords

This is one of the most important steps to take. It’s a healthy habit to change your passwords every now and then. If you suspect or know that your email has been pwned, you must change them. If you have reused your password on other accounts, which is a habit you definitely should quit, you should change passwords for those accounts as well. It can be tiresome to have multiple passwords, but your own security is at risk if you are using the same password in numerous locations. You can never be too secure.

If your password has been changed for your hacked account, don’t panic. You may still be able to restore your account through the “forgot your password” function, provided you have placed security questions or a back-up email address or phone number.

On the topic of security questions, you should change them as well. It is possible the attacker gained access to your account through breaking your security questions. This is possible if you used answers that can be guessed based on your social media profiles or personal information.

Check your email settings

If your email account has been pwned, attackers can set it to do things you don’t want to. These can include forwarding your messages to the attacker and automatically sending malware or phishing spam.

Check your settings and see if you find anything alarming.

You might also want to send an email to your contacts or post on social media that your email has been pwned to warn against opening any attachments sent by you. This can save your contacts from being infected by malware.

How can you protect your email from being pwned?

Pay attention to the source of messages; don’t fall for phishing scams or spam. Always be cautious when opening files, clicking on links or installing programs. You should do this only when you trust the origin.

It’s highly unlikely that if you have won the lottery, but if you have, they will contact you via telephone. They will not simply email you. Likewise, your bank or the authorities don’t ask you to authenticate information online and the “hot women in your area” are more than likely not in your area at all!

Enabling two-factor or multi-factor authentication are very good ways to make it harder for someone to hack your account. That’s why many banks and service providers use it. You should follow their example and use it when possible.

Finally, always use strong passwords. The harder your password is to guess, the better. Three random words is a good place to start.

You shouldn’t reuse your passwords especially on important and sensitive accounts. If you get a password manager to secure your passwords, you only have to remember one to access all the rest.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page