# Have I Been Pwned MCP

> Have I Been Pwned MCP checks if your email or passwords were exposed in known data breaches. It connects your AI agent directly to the trusted HIBP database, allowing you to audit accounts and verify password safety against thousands of historical leaks. Check account involvement or discover details on a specific hack using this MCP.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** data-breach, cybersecurity, identity-protection, password-security, threat-intelligence, account-safety

## Description

This MCP lets your agent act as an instant digital security auditor. You stop guessing if your data is safe and start checking the record. It pulls real-time breach intelligence, verifying whether specific accounts were compromised or if passwords have appeared in public leaks.

Need to check a personal email? Use this MCP to run an account search against major breaches. Worried about old passwords? The system checks for password safety using k-anonymity, meaning your actual password never leaves your client and is always protected.

Beyond checking accounts, you can also use the tool to discover if information has been posted on public paste sites, or explore a full history of major data compromises. This capability puts deep threat intelligence right into your chat window, making complex security auditing simple. By connecting this MCP via Vinkius, you're giving your agent access to one of the internet's most trusted resources for protecting sensitive information.

## Tools

### check_password_safety
Checks if a password was ever found in a data breach using k-anonymity, keeping the actual password private.

### get_breach_details
Pulls specific information about one particular recorded data breach by its official name.

### list_all_breaches
Returns a complete catalog of every major data breach event currently documented in the system.

### search_account_breaches
Searches for all known breaches associated with a provided email address or account username.

### search_account_pastes
Checks public paste sites to see if an email or account name has been leaked there.

## Prompt Examples

**Prompt:** 
```
Has my email 'test@example.com' been involved in any breaches?
```

**Response:** 
```
Checking breaches for 'test@example.com'... I found 3 breaches: Adobe (2013), LinkedIn (2016), and Canva (2019). Leaked data includes: Email addresses, Passwords, Usernames.
```

**Prompt:** 
```
Is the password 'P@ssword123' safe to use?
```

**Response:** 
```
⚠️ **DANGER!** This password has appeared in **45,210** data breaches. You should **NEVER** use this password as it is easily guessable and publicly known.
```

## Capabilities

### Audit Account Breaches
Checks if a specific email or username appears in any recorded data breach.

### Find Public Paste Exposures
Scans public paste sites to see if an account name or email has been leaked there.

### Validate Password Safety
Confirms whether a password was ever compromised in a breach without transmitting the full password.

### List All Breach Events
Retrieves a comprehensive list of all major data breaches currently tracked by the service.

### Get Specific Breach Details
Fetches detailed information about one specific, named data breach event.

## Use Cases

### Vetting a New Client's Security
A consultant needs to advise a client about their overall digital risk. They ask the agent to run search_account_breaches on the client’s main corporate email, then use check_password_safety to test several key employee passwords. The MCP returns a clear report of all identified risks.

### Investigating an Old Hack
An IT professional remembers a breach from 2016 and wants to know what exactly was compromised. They use get_breach_details, specifying the name of the hack, immediately getting details on data types stolen (passwords, phone numbers, etc.).

### Monitoring for Leaked Credentials
A researcher suspects an account might be floating around public forums. They use search_account_pastes to check if the user's email or name has appeared in any publicly accessible paste sites, providing a layer of defense beyond formal breaches.

### Building a Risk Report
A security analyst needs to document all potential risks for a client. They start by calling list_all_breaches to get the scope of known threats, then use search_account_breaches on the target account to narrow down relevant exposures.

## Benefits

- Immediate Risk Assessment: Quickly run account searches using search_account_breaches to see every breach an email has been part of. Stop guessing about your security status.
- Secure Password Testing: Use check_password_safety to validate if a password was leaked without sending the password itself over the wire. Your data stays protected.
- Comprehensive Tracking: Access the full history via list_all_breaches and get deep context on any specific event using get_breach_details, keeping you ahead of threat actors.
- Public Leak Detection: The search_account_pastes tool goes beyond breach databases by checking public paste sites for your leaked credentials or identity details.
- Single Source of Truth: Instead of hopping between multiple security websites, this MCP consolidates all necessary checks—breaches, pastes, and passwords—in one conversational flow.

## How It Works

The bottom line is you get instant, verifiable data on digital risk without having to visit a separate website or manage API calls manually.

1. First, subscribe to this MCP on Vinkius and obtain your HIBP API Key.
2. Second, input the provided key into your AI client's configuration panel. This authorizes the connection for breach checking.
3. Third, simply ask your agent to 'check if X email was compromised,' or 'is Y password safe?' The MCP runs the query and returns the findings.

## Frequently Asked Questions

**How does Have I Been Pwned MCP work with my password?**
It uses k-anonymity when you run check_password_safety. This means the system checks if a password was found in a leak without ever sending your actual, full password to the server.

**Can I find out all data breaches with Have I Been Pwned MCP?**
Yes, you use the list_all_breaches tool. This gives you access to a comprehensive catalog of every major breach event recorded by the service.

**What is search_account_pastes useful for?**
It searches public paste sites specifically. This finds instances where your email or account may have been posted somewhere outside of formal, tracked data breaches.

**Do I need an API Key to use Have I Been Pwned MCP?**
Yes, you must provide a valid HIBP API Key during setup. This key authorizes your AI client to run the security checks against the live database.

**Which tool should I use if my email was compromised?**
Start with search_account_breaches. This is the most direct way to see all known breaches linked to that specific account or username.