Data Breach Risk Score

Name: Data Breach Risk Score
Author: Andrew Laws

A quick self-assessment of how exposed your accounts are to the next breach. Twelve questions about how you actually use passwords, 2FA, software updates and email. You get a score out of 100, a category from Low to Critical, and a prioritised fix list ranked by impact, not generic advice. All scoring happens in your browser. Your answers don't leave the page.

Explain like I'm 5 (what even is this calculator?)

Imagine your online life as a row of doors. Each door is an account. Some doors share a key (you reused the password). Some doors have a deadbolt (2FA). Some are propped open by an unpatched window (no software updates). This tool walks down the row, counts the dodgy doors, and tells you which one to fix first. Lower score is better. Zero is paranoia-tier. A hundred is "you might already be in someone's spreadsheet".

Self-assessment

Reassurance: All scoring happens in your browser. Your answers don't leave the page. There are no API calls and no analytics on the answers themselves.

1. Your account footprint

Roughly how many online accounts do you have?

How many of those accounts could be reset by gaining access to your primary email?

2. Passwords

Do you reuse the same password across accounts?

Are you using a password manager?

3. Two-factor authentication

2FA on your critical accounts (email, banking, primary cloud)?

4. Email hygiene

Do you use email aliases or plus-addressing for sign-ups?

When did you last check Have I Been Pwned?

5. Devices and software

How do you handle software updates?

Public WiFi without a VPN?

6. Phishing awareness check

An email from your bank says: "Unusual activity detected. Click here to verify your account." What do you do?

A colleague messages on Slack asking you to buy gift cards for a client. The message has their name and photo. What do you do?

A web page warns "Your computer is infected. Call this number to fix it now." What do you do?

0 / 100

Category: Low

If you fix the top 3, your score drops to 0.

What's driving your score

Your fix list, ordered by impact

Prove it (show the per-category contribution)

Category	Your answer	Severity	Max points	Your points
Total (sum of contributions)				0

Each category has a max weight chosen so that passwords, 2FA and phishing dominate (the three signals that drive most consumer breaches in 2026). Your severity for each category, between 0 and 1, is multiplied by the max points to give your contribution. Sum the contributions and you have the score out of 100.

What actually drives breach risk in 2026

The honest answer, the one that does not sell antivirus subscriptions, is that almost everything boils down to three attack patterns: credential stuffing, phishing, and infostealer malware. Get those three under control and your breach exposure drops by an order of magnitude. Ignore them and the rest of the security theatre is window dressing.

Credential stuffing

When a website is breached, the leaked username and password pairs are dumped, sold, and within hours fed into bots that try them against every other major site. If you reused that password anywhere, those accounts fall too. This is why password reuse and "no password manager" weigh so heavily here. The fix is a password manager plus unique generated passwords, every time. Boring, effective, free.

Phishing-as-a-service

Phishing kits are now sold as polished SaaS products with templates, hosting, and bypasses for common 2FA flows. The convincing ones look identical to the real login page. The defence is reflex: never log in by clicking a link in an email or message. Open a new tab, type the address by hand, log in there. If something genuinely needs your attention, it will still be waiting once you're logged in directly.

Infostealer malware

This is the one that is quietly murdering corporate accounts in 2026. A user installs a "free" tool, a cracked plugin, or clicks a poisoned ad. The malware sits on the machine and exfiltrates every saved browser password, cookie and session token. Two days later someone is logged in as them, with the cookie that bypasses 2FA entirely. Mitigations: keep the OS and browser fully patched (auto-update is your friend), don't store passwords in the browser when a manager will do it better, and treat anything you download with the same suspicion you would a stranger's USB stick.

Why the password manager plus 2FA combo is the single biggest lever

Pick one move and only one. It is "use a password manager and turn on 2FA on your email." That single combination defeats credential stuffing (because every password is unique), most phishing (because the manager will not auto-fill a near-miss domain), and many infostealer payoffs (because even if the password is leaked, 2FA blocks the login). Everything else in this calculator matters, but if you only do one thing, do that.

"I don't have any significant accounts" is wishful thinking

This is the most common reason people give for not bothering. It is also wrong, almost without exception. Your email address is a master key: it can reset every other account you own. Your social media holds years of personal context that makes targeted phishing trivial. Your phone number is the shared secret for SMS-based 2FA at every bank you use. Your Amazon account has a saved card and a delivery address. None of these need to be "significant" in their own right; they are the rungs of a ladder up to the things that are.

Related calculators

Risk is the likelihood. These cover the cost and the levers behind the score.

Frequently asked questions

Is this the same thing as Have I Been Pwned?

No. Have I Been Pwned tells you whether your specific email address has shown up in a known leak. This calculator never sees your email or any personal detail. It scores your security habits to estimate how likely you are to be in the next leak. The two complement each other: HIBP looks at past breaches, this tool looks at future exposure.

Does this calculator send my answers anywhere?

No. Every answer stays in your browser. The page makes no API calls, no fetch requests, nothing. You can disconnect from the internet, fill the form in, and it still works. The only network activity on the page is the analytics tag, which records that someone (anonymously) used the calculator, not what they answered.

Why are passwords and 2FA weighted so heavily?

Because credential stuffing and infostealer malware drive the majority of consumer account compromises in 2026. A single reused password in a leaked dump becomes the key to dozens of other accounts within minutes. A password manager plus 2FA on critical accounts blocks both attack patterns at once, which is why the recommendations engine pushes those to the top whenever they apply.

What if I don't have any "important" online accounts?

Most people think this and most people are wrong. Your email account alone can reset every other login you have. Add to that any cloud storage with photos, any social media account that holds your messages, any shopping site with a saved card. The threshold for being worth attacking is not financial wealth, it is having a working pulse and a credit history.

How accurate is the score?

It is a relative score, not a probability. The 0 to 100 number is for comparing your habits to better and worse alternatives, and for showing how much each habit contributes to your overall exposure. It is not a percent chance of being breached this year. Treat it as a self-assessment to find the highest-impact fixes.

Last updated 29 April 2026 by Andrew Laws.