It really, and I do mean really, depends on the specific nature of the hack.
But the short answer is yes, it’s very likely your email address will be leaked as part of any significant hack or breach.
And that has nothing to do with the strength of your password.
But what happens next absolutely does.
Become a Patron of Ask Leo! and go ad-free!
Types of hacks
There are as many different types of hacks as there are people hacking, I suppose. What’s relevant is that not all hacks cause the same kind of damage, or leak the same kind of data — if data is even leaked at all.
I’ll use Ask Leo! (askleo.com) as my example, but the concepts apply to just about any website on which you can make purchases or have an account in order to access services. That includes retail sites (like Walmart), online services (like your email provider), government sites, or others.
One type of hack attempts to use my server to send spam to make it look like it came from me long enough to deliver to recipients who trust me. Another might be to hack my website so each time you visit the site, malware downloads onto your machine. A third might try to place software on my webpages so your computer would mine cryptocurrency for the hackers when you view an Ask Leo! page.
In each of those cases, the hackers have no interest in the data I keep. They’re not stealing anything. They’re hacking for other reasons.
So, no, they won’t get your email address, because that’s not what they’re after.
So-called data “breaches” are the hacks that make the news. These happen when a hacker successfully penetrates a website’s security to steal its database of users. For Ask Leo!, that might mean snagging the database of registered users or individuals who’ve made purchases here.1
And, yes, absolutely, that would include email addresses. Indeed, they would likely be the primary goal to enable further mischief ranging from spam to targeted phishing attacks to hacking other services that might use them as your identifier.
Whenever you hear about a breach, email addresses are almost always one of the items on the list.
Breaches and passwords
The fact that your password is strong is a good thing, but it’s not going to protect your email address from being exposed, because that’s not what a password is used for. While there are ways of securing user account databases so the passwords are, themselves, encrypted, that would be done using a password or technique known only to the service.2
Your password simply confirms that you are you when you use the service.
That’s why having strong passwords is critical. After a breach, the hackers know your email address and that you use this service. Your secure password prevents them from impersonating you or hacking into your specific account.
But it won’t keep knowledge of your email address any more or less secure.
When breaches happen
I’ve mentioned it before: you might consider signing up for Have I Been Pwned?, a free service that will alert you if your email address appears in one of the large-scale data breaches we hear about from time to time.
When (sadly, not if) that happens, you’ll want to change your password for an additional layer of safety on whatever service the breach occurred. Technically, if everyone has done the right thing — you had a good strong password to begin with, and the service did a proper job of storing it securely — you wouldn’t need to. Particularly since we can’t know how the service stored your password, it’s still important to change it just in case.
If you use the same password on other services, it is important to run around and change the passwords there as well. Never use the same password for different accounts, because hackers will try all the various passwords they’ve discovered in the past.
But the bottom line is that, yes, your email address will likely be uncovered should a breach happen.