Have I Been Pwned MCP. Audit Your Digital Footprint for Leaks and Breaches
Have I Been Pwned MCP checks if your email or passwords were exposed in known data breaches. It connects your AI agent directly to the trusted HIBP database, allowing you to audit accounts and verify password safety against thousands of historical leaks. Check account involvement or discover details on a specific hack using this MCP.
Claude 
ChatGPT 
Cursor 
Gemini 
Windsurf 
VS Code 
JetBrains 
Vercel Give Claude and any AI agent real-world access
Checks if a specific email or username appears in any recorded data breach.
Scans public paste sites to see if an account name or email has been leaked there.
Confirms whether a password was ever compromised in a breach without transmitting the full password.
Retrieves a comprehensive list of all major data breaches currently tracked by the service.
Fetches detailed information about one specific, named data breach event.
Ask an AI about this
Waiting for input…
What AI agents can do with Have I Been Pwned: 5 Security Tools
These tools let you run deep security audits, checking for compromised credentials, listing all known hacks, and searching for leaked information on public paste sites.
Make your AI actually useful.
Add this MCP to Claude, Cursor, or Windsurf and your AI stops guessing. It gets real tools to look things up, take action, and handle the stuff you keep doing by hand.
Start using Have I Been Pwned MCPCheck Password Safety
Checks if a password was ever found in a data breach using k-anonymity, keeping the actual password private.
Get Breach Details
Pulls specific information about one particular recorded data breach by its official...
List All Breaches
Returns a complete catalog of every major data breach event currently documented in...
Search Account Breaches
Searches for all known breaches associated with a provided email address or account...
Search Account Pastes
Checks public paste sites to see if an email or account name has been leaked there.
Security and governance baked right in.
Pick your AI client below to get set up. Just create a Vinkius account, subscribe, and you're instantly up and running. We handle the entire backend infrastructure, delivering out-of-the-box support for HTTPS Streamable, SSE, and OAuth2—zero messy routing required.
Claude AI
Open Claude Settings
Go to claude.ai, click your profile icon, then navigate to Customize → Connectors.
Add Custom Connector
Click the "+" button and select Add custom connector. Paste your Vinkius endpoint URL:
https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp
Replace [YOUR_TOKEN_HERE] with your token
from cloud.vinkius.com. For OAuth-protected servers, expand
Advanced settings to add credentials.
Start a conversation
Open a new chat. The Have I Been Pwned integration is available immediately — no restart needed.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on each call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with Have I Been Pwned, then connect any of our 5,200+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 5,200+ others, all in one place
- Add new capabilities to your AI anytime you want
- Connections are secured and governed automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog weekly
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Have I Been Pwned. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS CLOUD
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on each call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
The Constant Fear of Digital Compromise
Right now, checking your digital safety feels like detective work. You have to copy-paste emails into one tool, run a password through another service that uses different rules, and then manually cross-reference those results with public paste sites. It's exhausting, time-consuming, and you always feel like you’re missing some crucial piece of data.
With this MCP, the process is conversational. You describe your security concern—like checking if an old password was exposed or if a specific email was involved in a major hack—and your agent executes all necessary checks behind the scenes. It delivers a single, consolidated report telling you exactly what's safe and what needs immediate attention.
Access Breach Data with Have I Been Pwned MCP
The specific manual steps that disappear are the repeated copy-pasting of emails, the need to manually visit different breach databases, and the uncertainty about whether an old password is truly safe. Your agent handles all those calls for you.
Now, auditing your digital life is a direct question you ask your AI client. It's not a multi-step process; it’s just checking account safety using search_account_breaches or verifying credentials with check_password_safety.
What Have I Been Pwned MCP does for your AI
This MCP lets your agent act as an instant digital security auditor. You stop guessing if your data is safe and start checking the record. It pulls real-time breach intelligence, verifying whether specific accounts were compromised or if passwords have appeared in public leaks.
Need to check a personal email? Use this MCP to run an account search against major breaches. Worried about old passwords? The system checks for password safety using k-anonymity, meaning your actual password never leaves your client and is always protected.
Beyond checking accounts, you can also use the tool to discover if information has been posted on public paste sites, or explore a full history of major data compromises. This capability puts deep threat intelligence right into your chat window, making complex security auditing simple. By connecting this MCP via Vinkius, you're giving your agent access to one of the internet's most trusted resources for protecting sensitive information.
019d8445-c874-716e-8a3f-39896e5f1e63 
How to set up Have I Been Pwned MCP
The bottom line is you get instant, verifiable data on digital risk without having to visit a separate website or manage API calls manually.
First, subscribe to this MCP on Vinkius and obtain your HIBP API Key.
Second, input the provided key into your AI client's configuration panel. This authorizes the connection for breach checking.
Third, simply ask your agent to 'check if X email was compromised,' or 'is Y password safe?' The MCP runs the query and returns the findings.
Who uses Have I Been Pwned MCP
Anyone dealing with sensitive PII (Personally Identifiable Information) needs this. Security analysts and IT professionals use it daily to check for corporate domain compromises, while privacy advocates rely on its breach history data to advise clients.
Runs the list_all_breaches tool to track emerging threat vectors or uses search_account_breaches to vet a company's domain integrity after an incident.
Guides clients through checking password safety and running account searches for personal leaks, explaining the risk level of compromised data.
Verifies if corporate user accounts or internal system credentials have been exposed in public breaches using search_account_breaches.
Benefits of connecting Have I Been Pwned MCP
Immediate Risk Assessment: Quickly run account searches using search_account_breaches to see every breach an email has been part of. Stop guessing about your security status.
Secure Password Testing: Use check_password_safety to validate if a password was leaked without sending the password itself over the wire. Your data stays protected.
Comprehensive Tracking: Access the full history via list_all_breaches and get deep context on any specific event using get_breach_details, keeping you ahead of threat actors.
Public Leak Detection: The search_account_pastes tool goes beyond breach databases by checking public paste sites for your leaked credentials or identity details.
Single Source of Truth: Instead of hopping between multiple security websites, this MCP consolidates all necessary checks—breaches, pastes, and passwords—in one conversational flow.
Have I Been Pwned MCP use cases
Vetting a New Client's Security
A consultant needs to advise a client about their overall digital risk. They ask the agent to run search_account_breaches on the client’s main corporate email, then use check_password_safety to test several key employee passwords. The MCP returns a clear report of all identified risks.
Investigating an Old Hack
An IT professional remembers a breach from 2016 and wants to know what exactly was compromised. They use get_breach_details, specifying the name of the hack, immediately getting details on data types stolen (passwords, phone numbers, etc.).
Monitoring for Leaked Credentials
A researcher suspects an account might be floating around public forums. They use search_account_pastes to check if the user's email or name has appeared in any publicly accessible paste sites, providing a layer of defense beyond formal breaches.
Building a Risk Report
A security analyst needs to document all potential risks for a client. They start by calling list_all_breaches to get the scope of known threats, then use search_account_breaches on the target account to narrow down relevant exposures.
Have I Been Pwned MCP tradeoffs
What to watch out for, and the recommended way to handle each one.
Checking only emails
A user asks the agent, 'Is my email safe?' and stops there. This only checks account breaches but ignores potential password leaks or public posts.
To audit completely, use search_account_breaches for the email, then immediately run check_password_safety on multiple strong passwords to cover both accounts and credentials.
Assuming current safety
A user thinks because their password hasn't been found in a major breach yet that it is safe forever.
Run check_password_safety regularly. Even if not listed today, this MCP allows you to verify against the massive growing database of known compromises.
Ignoring public leaks
A user only checks formal breach databases and misses data posted on niche forums or paste sites.
Always use search_account_pastes to catch information that might be leaked outside of major, tracked corporate breaches.
When to use Have I Been Pwned MCP
Use this MCP if your primary need is verifiable threat intelligence regarding compromised credentials and identity data. You must check what was breached (search_account_breaches) and if a password has been compromised (check_password_safety). Don't use it if you just want to know general industry trends; for that, the list_all_breaches tool is sufficient. If your goal is to manage tickets or update customer records, this MCP is useless—you need a dedicated CRM integration instead. This is purely an intelligence and auditing layer.
Frequently asked questions about Have I Been Pwned MCP
How does Have I Been Pwned MCP work with my password? +
It uses k-anonymity when you run check_password_safety. This means the system checks if a password was found in a leak without ever sending your actual, full password to the server.
Can I find out all data breaches with Have I Been Pwned MCP? +
Yes, you use the list_all_breaches tool. This gives you access to a comprehensive catalog of every major breach event recorded by the service.
What is search_account_pastes useful for? +
It searches public paste sites specifically. This finds instances where your email or account may have been posted somewhere outside of formal, tracked data breaches.
Do I need an API Key to use Have I Been Pwned MCP? +
Yes, you must provide a valid HIBP API Key during setup. This key authorizes your AI client to run the security checks against the live database.
Which tool should I use if my email was compromised? +
Start with search_account_breaches. This is the most direct way to see all known breaches linked to that specific account or username.