According to a post published on the Sophos website, in order for one to check whether your email addresses are in this cache (or any previous breach discovery), run a search using HIBP. If your email address was found in a breach where passwords were also stolen, such as the massive LinkedIn breach in 2012, then change your password for that site, if you haven’t already.
Of course, the sooner you change your password the better. If you’re changing your password now for a breach that happened in 2012, you have to expect that most of the damage has already been done (you should still change it though).
You can give yourself a chance to respond in a timelier fashion by signing up for email alerts about future compromises, or by using a browser or password manager that integrate with HIBP.
If you want to test if your go-to passwords have been involved in any breaches, HIBP has a search tool for that too – Pwned Passwords. You enter a password and the site tells you if it’s appeared in any breaches.
For example, Pwned Password search revealed the incredibly weak password ‘elvispresley’ has appeared 3,800 times in its database which means that anyone using it should use something else asap.
What it won’t tell you is the where the password was found. If a password you enter turns out to have been compromised but you don’t know which sites you used it on… then you’re left guessing.
(Incidentally, if you’re worried about the security of entering current passwords on a website to see whether they’ve been breached or used previously by someone else, read this explanation of how they are checked securely using something called k-anonymity.)
To give your passwords the best possible chance of not appearing on Pwned Passwords, use a properly secured password manager that will create and store secure passwords.