Pricing overview

HaveIBeenPwned (HIBP) provides an API to check if email addresses, usernames, or passwords have appeared in known data breaches. Its pricing model differentiates between personal/non-commercial use and organizational/commercial use. Personal use benefits from a free tier, while organizations subscribe to access higher request volumes and dedicated support.

The core of HIBP's offering revolves around its Breach API, which allows querying for compromised accounts, and its Pwned Passwords API, designed for securely checking if a password has been exposed in a breach using k-anonymity. The pricing structure is designed to scale with the operational needs of businesses, from small internal checks to large-scale application integrations requiring high throughput.

HIBP emphasizes a transparent pricing approach detailed on their API pricing page, encouraging users to select a plan that aligns with their expected API call volume and feature requirements. This structure supports a range of use cases, from individual password security checks to integrating breach data into enterprise security platforms.

Plans and tiers

HaveIBeenPwned offers distinct access tiers tailored to different user requirements, primarily separating personal/non-commercial use from organizational/commercial applications. The primary paid offering is focused on organizations seeking to integrate HIBP's data into their services or internal security processes.

Free Access

The free tier is designed for personal and non-commercial use. It provides access to both the Breach API and the Pwned Passwords API, subject to a rate limit. This tier is suitable for individuals checking their own accounts or for small-scale projects that do not require high volumes of requests or dedicated support. Users can access this tier without a formal subscription by adhering to the specified usage policies.

HIBP for Organisations

For commercial entities, educational institutions, or any organization requiring more substantial access, HIBP offers a paid subscription model. This tier provides increased rate limits, dedicated API keys, and access to additional features or support as specified in the subscription terms. The exact pricing for organizational plans is volume-dependent and starts at approximately £30 per month, as detailed on the HIBP API pricing page.

Organizational plans are structured to accommodate various levels of API consumption, from a few thousand requests per day to hundreds of thousands. Specific details regarding request quotas, concurrency limits, and included features are provided upon inquiry or through the subscription portal. These plans are intended for integrating HIBP data into applications, identity management systems, or security monitoring tools.

The following table summarizes the key characteristics of HIBP's access tiers:

Plan Price (Approx.) Key Limits / Features Best For
Free Tier (Personal/Non-Commercial) Free Up to 2,500 requests per month Individual users, personal projects, non-profit initiatives
HIBP for Organisations Starting at £30/month Higher request volumes, dedicated API key, commercial use Businesses, educational institutions, commercial applications, large-scale integrations

Free tier and limits

HaveIBeenPwned offers a free tier specifically for personal and non-commercial usage. This tier allows users to interact with both the Breach API and the Pwned Passwords API without incurring costs, subject to certain limitations.

The primary limit for the free tier is a maximum of 2,500 requests per month. This quota resets monthly and is designed to support individuals checking their own accounts or developers working on small-scale, non-commercial applications. Exceeding this limit typically results in temporary rate limiting or a requirement to upgrade to an organizational plan for continued access. The free tier does not include dedicated support channels, with community forums and documentation serving as the primary resources for assistance.

For the Pwned Passwords API, the free tier also adheres to the k-anonymity model, which ensures that full passwords are never transmitted to the HIBP servers. Instead, only the first five characters of the SHA-1 hash of the password are sent, and the server returns a list of all hashes that start with those characters. The client then compares the full hash locally to determine if the password has been pwned. This privacy-preserving design is consistent across both free and paid tiers.

Users leveraging the free tier are expected to comply with HIBP's terms of service, which prohibit commercial use and bulk data processing. Organizations or projects that require higher request volumes, guaranteed uptime, or dedicated support are directed towards the paid organizational plans. Details on API usage and rate limits can be found within the HaveIBeenPwned API documentation.

Real-world cost examples

Understanding the practical costs of using HaveIBeenPwned's API involves considering the scale of operations and the chosen access tier. Since HIBP's paid organizational pricing is not publicly itemized beyond a starting point, these examples illustrate typical scenarios based on the described model.

Scenario 1: Small Business Internal Security Audit

  • Use Case: A small business wants to periodically check its employee email addresses against known breaches and implement a Pwned Passwords check for new user registrations. They anticipate around 5,000 email checks per month and 1,000 password checks.
  • Plan: HIBP for Organisations (entry-level)
  • Estimated Cost: Starting at approximately £30 per month. This tier would likely cover the combined 6,000 requests, providing a dedicated API key and commercial usage rights.
  • Justification: The free tier's 2,500 request limit is insufficient for commercial use, making the organizational plan necessary. The entry-level organizational plan would accommodate this volume comfortably.

Scenario 2: Medium-sized Application with User Authentication

  • Use Case: A SaaS application with 50,000 active users wants to implement real-time Pwned Passwords checks during login and password changes. They expect approximately 10,000 password checks daily (300,000 per month) and occasional email checks for administrative purposes.
  • Plan: HIBP for Organisations (mid-tier)
  • Estimated Cost: This scenario would require a higher-volume organizational plan. While specific pricing is not public, such a volume would likely place the cost in the range of £100-£300+ per month, depending on the exact tier and any custom arrangements.
  • Justification: The request volume significantly exceeds the entry-level organizational plan. The application requires a robust, high-throughput solution with commercial licensing.

Scenario 3: Personal Password Manager Integration

  • Use Case: An individual developer building a personal password manager for their own use wants to integrate the Pwned Passwords API to alert them if any of their stored passwords have been compromised. They anticipate checking a few hundred passwords occasionally.
  • Plan: Free Tier (Personal/Non-Commercial)
  • Estimated Cost: £0 per month.
  • Justification: The use case is personal and non-commercial, and the request volume (a few hundred checks) is well within the 2,500 requests per month limit of the free tier.

Scenario 4: Large Enterprise Security Platform

  • Use Case: A large enterprise integrates HIBP data into its security information and event management (SIEM) system, performing continuous monitoring of employee credentials and customer data. They anticipate millions of API calls per month across various services.
  • Plan: HIBP for Organisations (enterprise/custom tier)
  • Estimated Cost: This would involve a custom enterprise agreement. Costs could range from several hundred to thousands of pounds per month, depending on the exact volume, dedicated infrastructure needs, and support levels.
  • Justification: The scale of operations necessitates a high-volume, enterprise-grade solution with potentially customized terms and dedicated support, moving beyond standard organizational tiers. Such large-scale data processing often requires careful planning, as discussed in best practices for Google Cloud analytics best practices, for example.

How the pricing compares

HaveIBeenPwned's pricing model, particularly its free tier for personal use and subscription-based organizational plans, positions it distinctly within the breach detection and identity monitoring market. When comparing HIBP to alternatives, it's important to consider the scope of data, API capabilities, and target audience.

Free Tier Comparison

HIBP's free tier for personal/non-commercial use (up to 2,500 requests/month) is a significant differentiator. Many commercial alternatives, such as SpyCloud or Dark Web ID (IdentityForce), do not offer a direct, publicly accessible free API tier for developers to integrate. Their offerings are typically geared towards enterprise solutions with direct sales engagement.

For individual use, some consumer identity protection services like Experian IdentityWorks offer dark web monitoring as part of a broader subscription package, rather than a standalone API for programmatic checks. HIBP's free tier enables individual developers and researchers to build tools or perform checks without an upfront financial commitment, a model less common among its direct commercial competitors.

Organizational Pricing Comparison

For organizations, HIBP's subscription model, starting at approximately £30 per month, provides programmatic access to its extensive breach data. This contrasts with alternatives that may offer different pricing structures:

  • SpyCloud: Primarily focuses on enterprise-grade solutions for account takeover prevention and dark web monitoring. Their pricing is typically custom and based on factors like the number of employees, monitored assets, and desired features, often requiring a direct sales consultation. This positions SpyCloud for larger organizations with more complex security needs and budgets.
  • Dark Web ID (IdentityForce): Often bundled with broader identity theft protection services. While it offers dark web monitoring, programmatic access via an API for external applications is not as publicly emphasized as HIBP. Pricing is usually per user or per monitored entity, targeting consumer identity protection or employee benefit programs.
  • Commercial API Providers: Other API providers in the broader security or identity space, such as those offering email validation or threat intelligence, often use consumption-based pricing (per API call) or tiered subscriptions. For instance, some email validation services might charge per 1,000 API calls, allowing for granular cost control, as outlined in documentation from providers like Cloudflare's API for email routing. HIBP's subscription model offers predictable monthly costs for a given tier, which can be advantageous for budgeting stable usage.

Data Scope and Focus

HIBP's primary focus is on publicly disclosed data breaches and compromised passwords. Its value proposition is the aggregation and accessibility of this specific dataset. Alternative services may offer broader threat intelligence, proactive monitoring, or integrated remediation services that extend beyond HIBP's core offering. For example, a service like Everbridge's critical event management platform might integrate various threat intelligence feeds alongside communication and incident response capabilities, representing a significantly different scope and pricing model.

In summary, HIBP provides a cost-effective, developer-friendly entry point for breach data access, particularly with its generous free tier. For organizations, its subscription model offers predictable costs for integrating breach checks, while alternatives often cater to broader enterprise security needs with custom or per-unit pricing models that may include more comprehensive identity protection or threat intelligence services.