Have I been in a data breach?

Q: How many data breaches has the average American been in?

Most US adults appear in several. Known leak databases catalog billions of compromised accounts across roughly a thousand publicly disclosed breaches, and cross-referencing typical US email coverage, most adults turn up in five to fifteen of them. People who've used the same email for 10+ years tend to be in more.

Q: Should I change my passwords after a breach?

Yes, but only for the breached service and any other service where you used the same or similar password. Use a password manager so you never have to think about which password went where. If the breach included a hashed password, modern hash algorithms (bcrypt, argon2) buy you time but not safety — rotate.

In short

Almost certainly yes, and probably in several. Known leak databases catalog billions of compromised accounts across roughly a thousand publicly disclosed breaches. Most adults appear in five to fifteen of them.
The 2024 breach calendar alone exposed billions of records: National Public Data (2.9B records with SSNs), Change Healthcare (192M with health and payment data), AT&T (millions of customer call and account records).
Free Delist scan checks your email, phone, and identifiers against known breach sources and the broker sites that aggregate breach data. No card needed.

6 min read Last reviewed May 2026 Free scan available

The scale of the breach problem

The known leak databases that catalog publicly disclosed breaches now hold billions of compromised accounts across roughly a thousand publicly known breaches. That number grows month over month. And it doesn't include the breaches that stay private — held by criminal groups, sold narrowly on closed forums, or never disclosed by the breached companies.

What's in those records varies by breach. Common combinations:

Credentials — email + password (often hashed, sometimes plaintext). Most breaches.
Personal identifiers — name, address, phone, date of birth. Most breaches involving customer records.
Financial data — partial card numbers, bank routing, transaction history. Some breaches.
Government identifiers — Social Security numbers, driver's-license numbers, passport numbers. Specific breaches (NPD, Equifax 2017, Change Healthcare).
Health data — diagnoses, prescriptions, treatment history. Health-sector breaches (Change Healthcare, Anthem).

"Have I been in a breach?" is the wrong question. The right questions are which breaches, and what categories of your data ended up in each.

The 2024 breaches that matter most

If you only remember three, remember these:

National Public Data (NPD), August 2024. Florida-based data broker. Roughly 2.9 billion records including names, addresses, phone numbers, dates of birth, family relationships, and Social Security numbers. Covered most US adults plus residents of the UK and Canada. The company filed for bankruptcy in October 2024. See the SSN exposure check.
Change Healthcare, February 2024. Cyberattack on the UnitedHealth-owned medical-claims clearinghouse. Over 192 million Americans affected. Exposed health insurance information, medical records, billing details, and SSNs for many records. Notifications continued into 2025.
AT&T, March and July 2024. Two separate breaches. The first exposed account data and SSNs for roughly 73 million current and former customers. The second exposed call and text records for almost all AT&T wireless customers from a six-month period in 2022.

If you held a US email, phone number, or health-insurance plan in 2024, you were in at least one of these. Probably more than one.

Find every breach your identifiers appear in. Free scan covers the public breach corpus plus the broker sites that re-aggregate it.

Run my free breach check →

The older breaches still in active use

Breach data does not expire. Records leaked in 2013 still circulate in 2026. The big historical ones still doing damage:

Equifax (2017). 147 million Americans. Names, SSNs, birth dates, addresses, some driver's-license numbers. The $700 million class-action settlement paid out through 2024.
Yahoo (2013-2014). 3 billion accounts — every Yahoo user at the time. Names, emails, phone numbers, dates of birth, hashed passwords, security questions and answers.
Marriott / Starwood (2018, disclosed). Roughly 500 million guests over four years of exposure. Passport numbers and payment cards for a subset.
LinkedIn (2012, full leak 2016). 167 million accounts. Email + hashed password. The hashes were weak; most were cracked within weeks.
Adobe (2013). 153 million accounts. Email + password + encrypted password hints. Adobe used reversible encryption with a single key.

If you've used the same email for 10+ years, you are in most of these whether you remember the service or not.

What "being in a breach" actually costs you

Breach exposure feeds three downstream attacks:

Credential stuffing. Attackers take your email + password from breach A and try them on services B through Z. Works because people reuse passwords. The only durable defense is unique passwords per service, which requires a password manager.
Social engineering. An attacker knows your email, phone, address, and family from breach C, and calls your bank pretending to be you. Customer-support reps verify identity with exactly this kind of data. Every breach makes every future impersonation more credible.
Identity theft. Breach data combines with broker data to give a thief everything needed to open credit, file taxes, or claim benefits in your name. See the full identity-theft risk picture.

What to do, in order

Find out what's exposed. Run a Delist scan — it checks known breach sources for your email and identifiers and maps the data-broker layer that re-aggregates breach data.
Rotate passwords on breached services + any services where you reused the password. Switch to a password manager. The big ones (1Password, Bitwarden) are worth the $3 a month.
Turn on 2FA where it's offered. SMS 2FA beats no 2FA; an authenticator app beats SMS; a hardware key beats both.
Freeze your credit at all three bureaus. Free, federal. Stops new credit accounts being opened in your name.
Reduce the surrounding broker data. An email-and-password breach is harder to weaponize when your name, address, family, and employer are not also published on data-broker sites. Removing the broker data is the part most people skip — and the part Delist handles automatically.

How Delist monitors going forward

Delist watches the breach corpus continuously. When a new breach surfaces and your identifiers (email, phone, name + address) appear in it, you get a notification. You don't have to remember to check.

The free scan tells you where you stand today. The paid product is the watch.

Frequently asked questions

How many data breaches has the average American been in?

Known leak databases catalog billions of compromised accounts across roughly a thousand publicly disclosed breaches. Cross-referencing typical US email coverage, most adults appear in five to fifteen breaches. People who've used the same email for 10+ years tend to be in more.

What's the difference between a leak and a breach?

In practice they're used interchangeably. A breach is the security event — the unauthorized access. A leak is the data going public — when the stolen data ends up on a forum or in a torrent. Some breaches never leak (attacker holds the data privately); some leaks come from misconfigurations rather than breaches (public S3 bucket, exposed database).

Should I change my passwords after a breach?

Yes — for the breached service and any other service where you used the same or similar password. Use a password manager so you never have to think about which password went where. If the breach included a hashed password, modern hash algorithms (bcrypt, argon2) buy you time but not safety. Rotate.

Why am I still getting spam years after a breach?

Leaked breach data gets recompiled, resold, and recirculated indefinitely. Your old email from a 2014 breach is still on every spammer's list a decade later. Once data is public, it stays public. The only durable defense is reducing the amount of other personal data attackers can combine with the leaked breach.

Do breach databases cover every breach?

No. Known leak databases index publicly disclosed breaches plus some private submissions from researchers. Many breaches stay private — held by attackers, sold narrowly on closed forums, or never disclosed by the breached company. Coverage is strong for publicly known events; assume your true exposure is higher.