Geslar
How to check if you've been hacked
A step-by-step guide for checking your passwords and email addresses in known data breaches.
Why should you even check?
14 billion
compromised accounts in the HIBP database
900+
known data breaches
85%
of users reuse the same password across multiple services
Every year, hackers break into services and steal user databases. Those databases — containing emails, passwords, names — end up on the dark web and in publicly available breach databases.
If you've ever had an account on any online service, there's a real chance your data has leaked somewhere. The check takes 30 seconds and is completely free.
If you've ever had an account on any online service, there's a real chance your data has leaked somewhere. The check takes 30 seconds and is completely free.
1. Password check — has it been leaked?
Use the Geslar security check — a built-in tool that checks whether your password has been found in known breaches.
Step 1: Enter your password
Open the Geslar security check and enter the password you want to check.
Step 2: Password is hashed locally
Your password is converted to a SHA-1 hash on your device. It never leaves your browser in plain text.
Step 3: k-Anonymity check
Only the first 5 of 40 characters of the hash are sent to the HIBP server. The server returns ~500 results, and the comparison is done locally.
Step 4: Results
You instantly find out if your password was found in breaches and in how many cases. If it was — change it immediately.
What is k-Anonymity? It's a privacy protocol that enables checking without revealing your password. The server never sees your password or its full hash — only the first 5 characters, which match hundreds of thousands of possible passwords. It's impossible to determine which one is yours.
2. Email check — has it been in breaches?
Checking an email is different from checking a password. For email, there is no k-Anonymity protocol — you must send the full email address to the server to get results.
That's why Geslar doesn't perform this check locally. Instead, we redirect you to the official HaveIBeenPwned website by Troy Hunt — a trusted and respected security researcher.
That's why Geslar doesn't perform this check locally. Instead, we redirect you to the official HaveIBeenPwned website by Troy Hunt — a trusted and respected security researcher.
Step 1: Open the check
On the Geslar security check, below the password check, enter your email address.
Step 2: Redirect
Clicking the button opens HaveIBeenPwned in a new tab with your email address. Geslar itself does not send any data.
Step 3: Review the results
HIBP displays a list of all known breaches where your email appears — including the service name, date, and type of data exposed.
Why an external site? Geslar follows a zero-knowledge privacy philosophy. Checking an email requires sending the entire address to a server — that's incompatible with the principle of "your data never leaves your device." That's why we're transparent and redirect to a trusted source.
What to do if you've been hacked?
1. Change your password
Immediately change the compromised password. Use the Geslar generator for a new, strong, unique password. Never recycle old passwords.
2. Enable 2FA
Activate two-factor authentication on the compromised account. Geslar has a built-in TOTP authenticator — add it right away.
3. Check other accounts
If you used the same password elsewhere — change it on those services immediately. This is priority number one.
4. Monitor suspicious activity
Check your email for unauthorized logins, bank transactions for suspicious charges, and social media for messages you didn't send.
How to protect yourself going forward
Rule 1: A unique password for every service.
If you use a password manager, this is automatic. Geslar generates random, strong passwords for every account — you don't need to remember any of them except your master password.
If you use a password manager, this is automatic. Geslar generates random, strong passwords for every account — you don't need to remember any of them except your master password.
Rule 2: Always use 2FA.
On every service that supports two-factor authentication — enable it. Priority: email → bank → social media → everything else.
On every service that supports two-factor authentication — enable it. Priority: email → bank → social media → everything else.
Rule 3: Check regularly.
Check your passwords and email every few months. The Geslar security check is free and takes 30 seconds.
Check your passwords and email every few months. The Geslar security check is free and takes 30 seconds.
Conclusion
Being "hacked" doesn't necessarily mean someone has accessed your account — but it does mean your data exists somewhere it shouldn't. Checking is the first step, taking action is the second.
Geslar gives you the tools for both — password breach checking, a strong password generator, a TOTP authenticator, and secure management of all your accounts.
Geslar gives you the tools for both — password breach checking, a strong password generator, a TOTP authenticator, and secure management of all your accounts.
Check your passwords now — for free and privately.