ExpressVPN Keys lets you check if your email address was included in any data breach, and if any other personal information was exposed with it. The source of the information is HaveIBeenPwned, a service that tracks and reports on data breaches worldwide.

Data breaches happen frequently and can affect any service—from local small businesses to popular, reputable social-media platforms like LinkedIn or Twitter. If your email was found in a data breach, other personal information including your password or payment details may be exposed as well.

To secure your personal information, you are advised to check if your email has been exposed in data breaches. If so, update the password of the compromised account as well as of any other accounts that use the same compromised password. It is also a good practice to store the updated logins in ExpressVPN Keys, which can help you generate strong and unique passwords to keep them safe.

Check if your email has been exposed in data breaches

If you have already started using ExpressVPN Keys, follow these steps:

  1. In the ExpressVPN app, tap the Keys tab.
  2. Unlock ExpressVPN Keys.
  3. At the top-right, tap + > Check For Data Breaches.
  4. Enter your email, then tap Check This Email.
  5. Tap an account affected by a data breach.
  6. Tap Help Me Fix.
  7. Update your password and add the login to Keys.

If you have not added any logins to ExpressVPN Keys yet, tap Check for data breaches on the main Keys screen and follow the instructions.

Privacy with “Check for Data Breaches”

ExpressVPN Keys lets you check whether an email address was found in a data breach aggregated by HaveIBeenPwned. This process is safe and does not violate your privacy or expose your personal details.

Your email address is never sent to ExpressVPN or HaveIBeenPwned

To protect your privacy, ExpressVPN Keys never sends your email address to its servers or to HaveIBeenPwned’s when checking if it appeared in data breaches:

  1. ExpressVPN Keys creates a 40-character hash of your email address, which is an unintelligible string of characters representing it.
  2. Keys then transmits the first six characters of the hash to HaveIBeenPwned, ensuring that HaveIBeenPwned never gets the full 40-character hash representing your email address.
  3. HaveIBeenPwned then returns all the hashes of email addresses that start with the same first six characters as yours, and the corresponding data breaches.
  4. Finally, ExpressVPN Keys checks, on your device, if any of the received hashes matches your email address, before displaying the results.

Your IP address is never sent to HaveIBeenPwned

To further protect your privacy, your IP address is never visible to HaveIBeenPwned.

When you check for data breaches, your request first goes through the secure servers of ExpressVPN Keys before being forwarded to HaveIBeenPwned, and back through the same route.

Need help? Contact the ExpressVPN Support Team for immediate assistance.

Back to top


Was this article helpful?

We're sorry to hear that. Let us know how we can improve.

A member of our Support Team will follow up on your issue.