The Password you just used was found in a Data Breach...

Greetings all, Google Password Manager in my Chrome Browser is giving me the above pop up warning when I try to log into websites.  It's very persistent.  When I check that password over at haveIbeenpwned the result is:  "This password has been seen 97 times before.  This password has previously appeared in a data breach and should never be used. If you've ever used it anywhere before, change it!"

because at this point almost everyone has been breached and the odds are very slim of anyone using it to their advantage

Google:

Almost one-third of Americans have been a victim of identity theft. Over 300,000 Americans fall victim to phishing/vishing/smishing attacks yearly. Every year there are more than 50,000 individual personal data breaches in the US. Identity theft victims in the US are most commonly aged between 30-39 years old.

I take data breaches seriously.

Are you feeling lucky?

Edited by JohnnyBeeGood, 07 April 2024 - 11:27 AM.

So a list of passwords would be useless without knowing the associated user name/email address.  Is there a way to check if my email or username is now associated with the cracked password ?

I think that ignoring security warning desensitize you to them, so that if your situations become real, there is a good chance that you might ignore them, so it's best to take actions to mitigate the situation, real or imaginary.

Report of a password leak: change the passwords for accounts that you use this password everywhere.  There are plenty of password generators out there; use a randomly generated password.  Use a unique password for each account.  Use a password book/password manager to help remembering the passwords.  Typically, if you use a random password/passphrase generator, and the generated password is long enough, you would never hear such a warning from Google again.  If your account provider has a breach, unless they store the passwords in plaintext, your password isn't likely leaked (and it doesn't get reused on other services anyway), you might just have to change password for one service.

I circled back to haveIbeenpwned and entered all my email addresses and passwords.  It looks like roughly half of them have been breached.  Unfortunately that website doesn't tell me if any of the breaches involved both my email address and its associated password.  But another site I found called F-Secure gives exactly that information and even gives me the name of the company and date of the breach.  Some of these breaches go back many, many years and include almost all my personal information so I'm assuming (again) that the sheer volume of these breaches is what protects a lot of people.  Going to get started on changing passwords on accounts with sensitive information.  

I circled back to haveIbeenpwned and entered all my email addresses and passwords.  It looks like roughly half of them have been breached.  Unfortunately that website doesn't tell me if any of the breaches involved both my email address and its associated password.  But another site I found called F-Secure gives exactly that information and even gives me the name of the company and date of the breach.  Some of these breaches go back many, many years and include almost all my personal information so I'm assuming (again) that the sheer volume of these breaches is what protects a lot of people.  Going to get started on changing passwords on accounts with sensitive information.  

Also remember that these are breaches that we know of. There could be others that didn't go noticed. Best advice is to change passwords if they are in a compromised list to begin with. Hackers are going to start with lists of leaked passwords or credential stuffing from data breaches from other services. Also, haveibeenpwnned does give you this information of what was leaked like email address and password

Edited by Chiragroop, 07 April 2024 - 09:59 PM.

A password breach means that they have your user name and password for whatever site, it really doesn't matter if just a password was breached without the user name and site. If Google says your password has been seen 100 times before it really doesn't mean a thing whether its 3 characters long or 23 characters long, doesn't matter.

Considering the number of passwords in use, across the globe. It would be surprising if there was not a repetition of passwords.

I think there's a bit of confusion here. Firstly, haveibeenpwned allows you to see if your data is in known data breaches. Secondly, it has a list of cracked passwords and a count of them that you can compare (using SHA-1 or NTLM hash). Your password manager is likely using the latter to find the count. The issue here is that we may not not all the breaches and if there is a breach, hackers are going to begin cracking the hashed salted password using common passwords like those found in cracked password lists first. So the best course is to change the password from a weak password. And if you find you have a data breach, change your password or make other changes depending on what information was leaked.

If your password has been breached it means they know your password and user name for a specific site. Which means your definitely want to change it, you also want to change your password at any sites where you use the same password as the one that has been breached. Now if all they have is a password without the site or user name then don't worry.

It makes sense that if the password is breached they must've also gotten the user name.  Looking over all the breaches F-Secure shows me, I see that any time my password was breached it appears in combination with either a user name breach or an email breach.  The password breach never appears by itself or only with demographic data breached.  Thinking about this, I know lots of sites that automatically use the email address for the user name-so that might explain why I have so few "user name" breaches. 

Edited by helpout, 09 April 2024 - 03:48 PM.

I think I didn't make it clear. Those passwords are cracked and are on password lists so if there is a breach, these passwords will be the first to break. And you may not know if the service you are using has been breached. Especially common ones like password which HIBP shows has been used 10,382,543 times. So in helpout's case, the password has been used 97 times. Doesn't mean all the accounts using this are by helpout. Just that it is a password that someone used and in data breaches where passwords were cracked, it was used 97 times.