Have I Been Pwned MCP. Audit your accounts against known data breaches.
Gemini Works with every AI agent you already use
…and any MCP-compatible client
Just plug in your AI agents and start using Vinkius.
Have I Been Pwned MCP Server checks if your email or username has appeared in public data breaches or paste sites.
It lets your AI client verify password safety using k-anonymity, search for account involvement in specific breaches, and list all known data breaches.
It's a full audit trail for digital security.
What your AI agents can do
Check password safety
Checks if a password has appeared in a data breach using k-anonymity, meaning the server never sees your full password.
Get breach details
Retrieves specific information about a known data breach using its name.
List all breaches
Returns a complete list of all data breaches currently tracked by the service.
Find all known data breaches associated with a specific email or username.
Check if an email or username appears in public, unmanaged paste sites.
Confirm if a password has appeared in a breach without sending the full password to the server.
Retrieve details about a known data breach, such as the date or type of data compromised.
Get a catalog of every data breach recorded in the system.
Ask AI about this MCP
Supported MCP Clients
Gemini Waiting for input…
Have I Been Pwned MCP Server: 5 Tools for Breach Analysis
Use these tools to audit accounts, check passwords, and catalog data breaches against known security leaks.
019d8445check password safety
Checks if a password has appeared in a data breach using k-anonymity, meaning the server never sees your full password.
019d8445get breach details
Retrieves specific information about a known data breach using its name.
019d8445list all breaches
Returns a complete list of all data breaches currently tracked by the service.
019d8445search account breaches
Finds all data breaches that an email address or username has been involved in.
019d8445search account pastes
Looks for public paste sites that contain your specific email or username.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on every call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with Have I Been Pwned, then connect any of our 4,700+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 4,700+ others, all in one place
- Add new capabilities to your AI anytime you want
- Every connection is secured and compliant automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog every week
What you can do with this MCP connector
Have I Been Pwned MCP Server gives your AI client the ability to audit your digital security. It lets you check if your email or username got dumped in a public data breach or paste site. You can verify password safety using k-anonymity, search for specific account involvement in breaches, and pull a list of every known data breach.
How Have I Been Pwned MCP Works
- 1 First, subscribe to the server and provide your HIBP API Key.
- 2 Next, ask your AI client to run a specific check—for example, 'Check if my email was in any breaches.'
- 3 The server runs the appropriate tool, returns a list of breaches, and summarizes the compromised data types.
The bottom line is that you get a structured, actionable report on your account's security history.
Who Is Have I Been Pwned MCP For?
Security-conscious users, IT professionals, and researchers who need to audit digital safety. You're the person who finds a weird email and suddenly gets paranoid about credentials. You need to know if that email is tied to a breach, or if the password you used for an old forum is floating around on Pastebin.
Uses list_all_breaches to map the scope of historical data compromises and runs search_account_breaches to audit specific domains.
Runs search_account_breaches across corporate domains to identify widespread account exposure.
Uses check_password_safety to validate if a password is safe before recommending it to a client.
What Changes When You Connect
- Check if your email was involved in breaches with
search_account_breaches. You get a clear list of every compromised breach and what data was stolen. - Verify credentials instantly using
check_password_safety. It checks for breaches without sending your actual password to the server. - Discover if your info is public with
search_account_pastes. This tool finds your email or username on public paste sites, which is a major risk. - Get the full scope of leaks with
list_all_breaches. This gives you a complete catalog of major breaches, letting you understand the threat landscape. - Understand the damage with
get_breach_details. Instead of just a name, this tool tells you exactly what kind of data—passwords, emails, or phone numbers—was exposed in that breach.
Real-World Use Cases
Responding to a suspected leak
A security analyst gets a vague warning about a potential leak. They ask their agent to run search_account_breaches on the affected domain. The agent finds three breaches (e.g., Adobe, LinkedIn) and reports the specific data types compromised (emails, usernames, passwords), giving the analyst immediate action points.
Auditing a new employee's accounts
An IT professional needs to vet a new user's digital footprint. They ask their agent to run search_account_breaches and then search_account_pastes on the user's email. The agent combines the results, showing both the known breaches and any public postings, ensuring a full audit trail before granting access.
Testing password strength before deployment
A developer wants to enforce strong password policies. They use check_password_safety on a candidate password. The agent immediately flags the password if it's found in any breach, allowing the developer to enforce a policy that prevents easily guessed or leaked credentials.
Researching industry trends
A researcher wants to understand the impact of major hacks. They call list_all_breaches to get the full catalog. Then they use get_breach_details on a specific entry, like 'Equifax,' to analyze precisely what kind of PII was stolen and how severe the breach was.
The Tradeoffs
Only checking account breaches
Assuming that just checking search_account_breaches is enough. The user gets a list of breaches but ignores the fact that the account details might be floating on Pastebin.
→
You must run both search_account_breaches AND search_account_pastes on the same account. This covers both the recorded data breaches and the uncontrolled, public dumps of information.
Checking passwords one by one
Manually testing passwords for safety. This is slow, and the user often forgets to test the most critical or oldest accounts.
→
Use check_password_safety for batch checks. It validates passwords against known breaches using k-anonymity, making the process fast and safe.
Ignoring breach context
Seeing a breach listed but not knowing what was stolen. The user just knows 'LinkedIn 2016' happened, but doesn't know if their email or just their name was involved.
→
Always follow up with get_breach_details for any specific breach. This gives you the necessary context to judge the actual risk level.
When It Fits, When It Doesn't
Use this server if your goal is forensic audit: proving what was compromised and when. You need a verifiable, historical record of data leaks, whether from a major corporate breach or a public paste site. Don't use it if you just need to know if a password is strong; use a dedicated password manager's checker instead. If you are trying to understand general cyber threat trends, running list_all_breaches provides scope, but you still need to narrow down the risk using search_account_breaches and search_account_pastes to get actionable data on a specific person or domain.
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Have I Been Pwned. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS INFRASTRUCTURE
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on every call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
Works with Claude, ChatGPT, Cursor, and more
The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.
This server provides 5 capabilities that interface natively with Claude, ChatGPT, Cursor, and any MCP client. No middleware. No custom integration required.
Available Capabilities
Finding out what data got leaked shouldn't take 10 clicks.
Today, checking your digital footprint means jumping between three different sites: the breach tracker, the paste site search, and the password strength checker. You copy your email to the first site, then copy it to the second. You check one password, then you have to check the next one, repeating the copy-paste cycle until you're tired. It's a manual, error-prone mess.
With the Have I Been Pwned MCP Server, you tell your agent once. It runs `search_account_breaches` and `search_account_pastes` automatically on your email. You get a single, consolidated report showing every known breach and any public dump, giving you the full picture instantly.
Password Safety Check: Use `check_password_safety`.
Before, verifying a password's safety meant guessing if it was too common or if it appeared in a breach. You had to manually check external sites, which was unreliable and often incomplete. It was guesswork, really.
Now, you just ask your agent to run `check_password_safety`. It runs the check using k-anonymity and tells you if that password appeared in a breach, without ever sending the actual password to the server. It's definitive.
Common Questions About Have I Been Pwned MCP
How does `search_account_breaches` work? +
It searches for all breaches an email or username was involved in. It doesn't check if the breach was recent; it pulls data from the entire history of recorded incidents.
Is `check_password_safety` secure? +
Yes, it is secure. The tool uses k-anonymity, meaning your full password is never sent to the server. It only verifies the pattern against known leaks.
Can I use `search_account_pastes` for multiple accounts? +
You can run it multiple times in sequence. It searches for public pastes containing your specified email or account name.
What is the difference between `list_all_breaches` and `search_account_breaches`? +
list_all_breaches gives you a list of every breach recorded. search_account_breaches filters that list down to only the breaches that apply to your specific account.
What kind of data does `get_breach_details` provide? +
It gives specific context on a single breach. You learn what was stolen—was it just an email, or did it include usernames and passwords?
How do I handle rate limits when using `search_account_breaches`? +
The server adheres to standard rate limiting practices. If you exceed the allowed calls, your AI client will receive a 429 error, telling you exactly when you can try again. It's built to handle high volume, but you should respect the API's limits.
What data can I expect when running `search_account_pastes`? +
The tool returns findings from public paste sites. You'll get results listing the specific public paste URLs and the context surrounding your email or account name found there. It only reports what's publicly available.
Does `check_password_safety` require an API key? +
No, the password safety check does not require an API key. You simply pass the password to the tool, and it runs the k-anonymity search directly. It's designed to be simple and secure for quick checks.
Is it safe to check my password using this tool? +
Yes. This agent uses the K-Anonymity model. Only the first 5 characters of your password's SHA-1 hash are sent to the HIBP server. The full password or full hash never leaves your local environment, making it cryptographically safe.
Where can I get an API Key? +
You can purchase an API key directly from the HIBP website. It requires a small monthly subscription to prevent mass scraping and abuse.
Use it with your favorite AI tools
Connect this server to Cursor, Claude, VS Code, and more.
More in this category
Drata
Automate compliance and security via Drata — monitor controls, track personnel onboarding, audit policies, and verify cloud asset security directly from any AI agent.
Aporia
Monitor AI models and validate LLM interactions with guardrails directly from your AI agent to ensure safety and observability.
Logto (Auth Platform)
Manage users, roles, and organizations in your Logto auth tenant directly from your AI agent.
You might also like
Constructor
Empower e-commerce discovery via Constructor.io — perform ML-ranked product searches, get personalized recommendations, and audit browse categories directly from any AI agent.
U.S. Census Housing — Home Values, Rent & Real Estate Data
Access the definitive source for U.S. residential real estate data. Extract median home values, median gross rent, ownership vs. renting rates, and vacancy data at the state and county level. Create full socioeconomic profiles.
X (Twitter)
Automate social intelligence workflows via X (Twitter) — search recent tweets, retrieve user profiles, and analyze tweet engagement directly from any AI agent.