diff --git a/libs/common/src/services/api.service.spec.ts b/libs/common/src/services/api.service.spec.ts
index 6d6e96de9e3..daef4164029 100644
--- a/libs/common/src/services/api.service.spec.ts
+++ b/libs/common/src/services/api.service.spec.ts
@@ -14,6 +14,7 @@ import {
   VaultTimeoutSettingsService,
   VaultTimeoutStringType,
 } from "../key-management/vault-timeout";
+import { BreachAccountResponse } from "../models/response/breach-account.response";
 import { ErrorResponse } from "../models/response/error.response";
 import { AppIdService } from "../platform/abstractions/app-id.service";
 import { Environment, EnvironmentService } from "../platform/abstractions/environment.service";
@@ -411,4 +412,26 @@ describe("ApiService", () => {
       ).rejects.toMatchObject(error);
     },
   );
+
+  describe("getHibpBreach", () => {
+    it("should properly URL encode username with special characters", async () => {
+      const mockResponse = [{ name: "test" }];
+      const username = "connect#bwpm@simplelogin.co";
+
+      jest.spyOn(sut, "send").mockResolvedValue(mockResponse);
+
+      const result = await sut.getHibpBreach(username);
+
+      expect(sut.send).toHaveBeenCalledWith(
+        "GET",
+        "/hibp/breach?username=" + encodeURIComponent(username),
+        null,
+        true,
+        true,
+      );
+      expect(result).toBeInstanceOf(Array);
+      expect(result).toHaveLength(1);
+      expect(result[0]).toBeInstanceOf(BreachAccountResponse);
+    });
+  });
 });
diff --git a/libs/common/src/services/api.service.ts b/libs/common/src/services/api.service.ts
index bbf990122df..3f24414bd23 100644
--- a/libs/common/src/services/api.service.ts
+++ b/libs/common/src/services/api.service.ts
@@ -1434,7 +1434,8 @@ export class ApiService implements ApiServiceAbstraction {
   // HIBP APIs
 
   async getHibpBreach(username: string): Promise<BreachAccountResponse[]> {
-    const r = await this.send("GET", "/hibp/breach?username=" + username, null, true, true);
+    const encodedUsername = encodeURIComponent(username);
+    const r = await this.send("GET", "/hibp/breach?username=" + encodedUsername, null, true, true);
     return r.map((a: any) => new BreachAccountResponse(a));
   }