Why we built breach checking into ARK, and how it actually works

The problem wasn't the breach itself

When you discover you're in a breach, the usual response is panic followed by resignation. You change your passwords on the platforms you remember. You maybe set up a fraud alert. Then what? Most people never check whether the apps on their phone have their leaked email or phone number embedded somewhere in a forgotten API call or auth token.

We realised the real gap wasn't news about breaches happening. It was visibility. People needed to know: am I exposed on my device, right now, through the apps I use every day? And they needed that answer in less than a minute, not through a dozen manual searches on haveibeenpwned.com.

That's why the breach check became a core part of the Shield tier. Not as a novelty feature, but as something that closes a loop most users don't even know is open.

We chose HIBP because we don't need to reinvent the wheel

Have I Been Pwned exists for a reason. Troy Hunt has spent years compiling breach data from hundreds of compromises, validating it, keeping it current. We're not security researchers; we're app builders. So we did what made sense: we integrated with HIBP's API, which meant we could focus on the part only we could do properly - checking your data safely on your device.

The integration is straightforward in concept, complex in execution. When you run a breach check in ARK, we hash your email address locally on your phone using the k-anonymity protocol that HIBP uses. We never send your plain email anywhere. We send only a hash prefix to HIBP's servers. They send back a list of matching hashes. We compare locally on your device. If there's a match, you see it. If there's no match, that's it - HIBP learns nothing about your actual email.

This matters because privacy isn't abstract to us. It's the difference between someone running a scan and feeling like they've been audited, versus feeling like they've been watched.

The one-tap fix that actually fixes things

A breach check is only useful if it ends with action. We learned that the hard way in the first week. Users would see they were in a breach and ask, 'Now what?' So we built remediation deep-links directly into the breach result.

If your email was in a Spotify breach, we link you to Spotify's password reset. If it's a smaller platform you've forgotten about, we give you the breach date, the type of data exposed, and a direct link to their help centre. We also check whether you have other apps on your device from the same company that might need attention.

It's not magic. We're not changing passwords for you or negotiating with companies on your behalf. But a one-tap link beats a screenshot of a URL in a notification by several orders of magnitude in terms of what people actually do.

What we don't do, and why that matters

We don't store your email in plain text. We don't send it to any analytics platform. We don't hold onto your breach history unless you opt into our Shield plan, which keeps the data encrypted on your device. We don't integrate third-party tracking into the scan itself.

This is a deliberate choice that costs us something. We can't build a profile of 'high-risk users' or 'breach frequency by region' without collecting more data than we need to. We can't personalise ads or sell patterns to security vendors. But the trade-off is simple: you can scan without wondering whether the scan tool itself is a data-collection engine wearing a security mask.

On the free tier, each scan is completely private. You get one breach check with your 0-100 security score, and nothing leaves your phone except what's necessary to check HIBP. On Shield, we keep a log so you can see your history over time, but that log lives in iOS SecureStore or Android EncryptedSharedPreferences, never on our servers.

The moment it all came together

The real validation came two months in. Someone had been in eight different breaches. They ran the check. They saw all eight results. They tapped through and updated passwords on five of them that day, flagged two as inactive accounts to delete, and realised one was from a service they'd never actually signed up for. They came back to us and said it was the first time they'd felt in control of their own breach exposure.

That's what the feature is for. Not to scare you with news you probably already knew. But to connect the dots between historical breaches and the devices and apps you use today, privately, on your phone, in the time it takes to drink a coffee.