Chrome says passwords compromised

Hi all,

Google Chrome has suddenly decided that several of my passwords are compromised. I Googled this, and apparently Chrome is indeed warning people about bad passwords resulting from a “data breach,” but it’s not revealing what the source of the data breach is. Still, I wanted to check with you all to see whether you think this is a valid thing, and whether I should now set about re-doing passwords. It’s not THAT big a deal to redo passwords, but it is mildly annoying.

What say ye?

When in doubt, change the passwords.

Are you REALLY the one who calls themselves, Spock?

More seriously, yep; change the passwords if they’re warning you.

I’ve had a site or two require I change my password recently with… no explanation. I’d believe them because a wider breach explains that a bit although I still think they need to be honest and upfront about these things.

To paraphrase Seinfeld: they’re real, and they’re fabulous.

Google is probably pulling from the same breach databases that other sites use, so it’s quite legit. If your password is on the breach list, you need to change it or it’s just a matter of time until your account is compromised. Everyone from State-level actors to script kiddies in their parents’ basements have access to those credentials and are running bots 24/7/365 to find valuable accounts to steal.

Thanks, all. I’ve changed them all. They were all the same password, from an earlier era in which I used the same password on many sites. That era has since passed! I now have a unique password for every site I use. Logical, but a pain.

I am what I am.

Yep. It’s a legit warning by Google and worth changing those passwords.

If you want to get an idea of which data breaches (there won’t be only one, unfortunately) your email has been compromised in, enter it here:

https://haveibeenpwned.com/

Yes, I know. Feels scary. But it’s a legit site belonging to Troy Hunt who is a security expert and who collects information on data breaches, warns companies and pressures them to address them. He parses the list and adds the emails and detail types (not values) leaked to his DB, which lets you see what data has been compromised. It’s a good tool to see in how many breach lists you have ended up.

Yeah it’s a brilliant site that.

He’s even got a neat k-anonymity API that lets you submit a hash of a password and get back whether its appeared in a data breach before.

His posts on how he implemented the site and how he uses various features of Azure, Cloudflare, etc. to keep costs down “about a cup of coffee a month” are awesome, too. Although I imagine his costs are bit higher now with how popular the site is.