How to Use the Have I Been Pwned MCP in Cursor

Q: What data privacy guarantees exist when checking passwords?

The checkpasswordsafety tool never transmits plain-text passwords. It hashes the string and sends only a five-character prefix to the API. Your local machine handles the final match against the returned suffix list.

Cursor checks your hardcoded credentials against real breach data via this MCP Server while you code.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect Have I Been Pwned MCP to Cursor

Create your Vinkius account to connect Have I Been Pwned to Cursor and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup Have I Been Pwned with Cursor

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Real-time credential checks

The `check_password_safety` tool tests passwords against the k-anonymity API directly inside your editor. When you are writing authentication logic, your agent can verify if your default test passwords are secure. It sends a partial hash and does the final comparison locally. Developers leave bad passwords in config files all the time. Cursor reads your environment variables and runs the check before you commit. You get immediate feedback on credential safety without leaving your workspace.

Investigate user exposure in Cursor

The `search_account_breaches` tool queries an email address to see if it exists in known data dumps. You can highlight a list of user emails in a JSON file and ask Cursor to check them. The agent returns a list of specific breaches for each account. If a user is flagged, the `get_breach_details` tool pulls the exact metadata for that incident. You see what data was stolen — passwords, IP addresses, or physical locations. This helps you build automated password reset triggers based on real threat data.

Build automated MCP Server defenses

The `list_all_breaches` tool outputs the global registry of compromised sites. You can use Cursor to generate a script that cross-references this list against your third-party vendors. The AI writes the code and uses the live API response to test it immediately. Paste sites are a massive blind spot for most teams. The `search_account_pastes` tool looks for plain-text dumps of your corporate emails. Integrating this into your incident response scripts means you catch credential leaks before attackers use them.

Setup guide

Set up Have I Been Pwned MCP in Cursor

Prerequisites

Cursor installed (macOS, Windows, or Linux)
Active Vinkius subscription with a valid endpoint token

1

Open MCP Settings

Go to Cursor Settings → MCP or open the Command Palette (Cmd+Shift+P / Ctrl+Shift+P) and search for "MCP: Add Server".
2

Add the Have I Been Pwned MCP

Cursor will create or open .cursor/mcp.json in your project root. Paste the JSON snippet on the right. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com.
3

Enable Agent mode

Open Composer (Cmd+I / Ctrl+I) and switch to Agent mode using the dropdown at the top. MCP tools are only available in Agent mode.
4

Verify the connection

Ask Cursor something like "List my recent Have I Been Pwned transactions." If the MCP tools are loaded correctly, Cursor will call the Have I Been Pwned tools automatically. You can also check Settings → MCP for a green status indicator.

.cursor/mcp.json

{
  "mcpServers": {
    "have-i-been-pwned-mcp": {
      "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    }
  }
}

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Have I Been Pwned. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect Have I Been Pwned now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about Have I Been Pwned MCP in Cursor

Create an mcp.json file in your .cursor directory. Add the server configuration under mcpServers. Turn on Agent mode in your chat to start using the tools.

Only if you ask it to. You have to explicitly instruct the agent to read your environment file and verify the credentials.

Yes. You can ask Cursor to generate a Python script that calls the API. The agent can use the live tools to test the logic and ensure it handles rate limits correctly.

Test emails like admin@example.com are heavily abused and appear in thousands of breach dumps. The API simply reports historical facts. Use a unique domain for clean testing.

The check_password_safety tool never transmits plain-text passwords. It hashes the string and sends only a five-character prefix to the API. Your local machine handles the final match against the returned suffix list.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript