← All guides

How to Find Out If Your Data Has Been Sold or Leaked

Your data leaves you in two very different ways: it's stolen in a breach, or it's sold — legally — by data brokers who compiled it. Checking for each takes different tools. None gives a complete picture alone, but stacked together they tell you a surprising amount about where your information has ended up.

Updated July 2, 2026 · 7 min read

Sold vs leaked — two different problems

'Leaked' means a company you dealt with was breached and your data escaped without anyone's permission. 'Sold' or 'shared' means data brokers legally collected details about you — from public records, loyalty programmes, apps, and other brokers — and packaged them for sale to advertisers, insurers, and background-check sites.

You check for breaches with breach-notification tools. You check for brokered data by searching broker sites and using your legal 'right to know'. Do both.

Step 1 — Check for known breaches (free)

Start with breach databases, which catalogue leaks that have already been made public:

  • Have I Been Pwned — run by security researcher Troy Hunt, it checks your email or phone number against billions of records from known breaches, and shows exactly which companies exposed you.
  • Mozilla Monitor (formerly Firefox Monitor) — uses the same breach data and can alert you to future leaks.
  • Your browser and OS: Chrome, Edge, and Apple's iCloud Keychain all include password-checkup features that warn when your saved credentials appear in a known breach.

Step 2 — Search the data brokers holding you

'People-search' brokers publish startling amounts about ordinary people — addresses, relatives, phone numbers, ages. Search your own name on the big ones to see your public listing:

  • People-search sites such as Spokeo, Whitepages, BeenVerified, Intelius, and Radaris — search your name and location to see what's exposed.
  • Larger marketing brokers such as Acxiom, Epsilon, and LiveRamp operate behind the scenes; you won't see a public profile, but you can file a 'right to know' request (Step 4).

Step 3 — Run a dark-web / exposure report

Several services scan breach dumps and broker sites and summarise your exposure in one place:

  • Google's 'Results about you' finds search results containing your contact details and can alert you to new ones; Google's dark-web report scans breach data for your info.
  • Mozilla Monitor Plus, and identity-monitoring features bundled with many banks, credit cards, and antivirus suites, scan broker and breach sources on a schedule.

Step 4 — Use your legal 'right to know'

Privacy laws let you force companies to disclose what they hold and whether they've sold it — the most authoritative source of all.

  • In California, the CCPA/CPRA gives you the right to know what personal information a business collected, the categories of third parties it was shared with, and whether it was sold or shared.
  • In the EU and UK, the GDPR's right of access (a Data Subject Access Request) requires organisations to tell you what data they hold about you and who it was disclosed to.
  • Ask advertising platforms directly: Google, Meta, and others let you download 'your data' and view interest and audience labels that reveal how you've been categorised and targeted.

Warning signs your data is already circulating

  • A surge in spam calls, texts, or phishing emails that use your real name or recent purchases.
  • Password-reset or login alerts for accounts you didn't try to access.
  • Your details appearing on a people-search site you never signed up for.
  • Ads that reference something you only did offline or in a private conversation with one company.

Frequently asked questions

Is there one website that tells me everywhere my data has been sold?
No single tool is complete. Breach checkers like Have I Been Pwned cover leaks; people-search sites and exposure reports cover brokered data; and legal 'right to know' requests under the CCPA or GDPR force companies to disclose what they hold and who they shared it with. Use all three to build the fullest picture.
Is checking these breach and broker sites safe?
Reputable breach checkers like Have I Been Pwned and Mozilla Monitor only need your email or phone and don't ask for passwords — those are safe. Be cautious with unknown 'free scan' sites that demand lots of personal detail or payment up front; some are themselves data brokers harvesting more about you.

Sources & further reading