By Dalvin Brown
June 5, 2023
In the past, we all had favorite passwords we’d use for all kinds of websites and apps, a set of easy-to-remember phrases, because who can keep track of so many? The bad news is, those passwords have all probably leaked in data breaches. And if hackers have the password for one site, they can try it on others to see if you reused it.
Tools that detect compromised passwords often say things like: “You have 87 leaked passwords.” JON KRAUSE
So how do you know when your passwords have been breached, and what do you do about it?
Increasingly, app and service providers are providing tools for informing users about compromised login credentials. In May, Google said it would start alerting all Gmail users if their email addresses show up on the dark web where cybercriminals buy and sell personal information to commit scams. Last year, Apple updated its password security protocol to automatically identify common weaknesses with user passwords when they are stored in iCloud Keychain.
Password managers also offer similar tools, enabling users to check if their login details have been exposed. (Experts have long recommended password managers, which not only generate complicated unique passwords but also remember them for you. But password managers can and have been hacked.)
Generally, these tools use databases of leaked credentials and compare them—safely on the computer or mobile device—with the info stored by users. When there’s a match, account providers will display a warning that prompts users to change their password.
However, therein lies a challenge. What often happens is that you get reports that say things like: “You have 87 leaked passwords.”
The notices are meant to be a convenience, but they can also be a nuisance: How do you go about cleaning up all of those bad passwords?
“It’s too daunting for most people to get through,” says Chris Pierson, chief executive of BlackCloak, a Lake Mary, Fla.-based cybersecurity firm. “Having the information is great. But there’s often no clear path to move forward. For the average consumer, it’s too hard or there are too many steps.”
What’s more, with people creating more online accounts each year, the threat of compromised passwords is growing. Nearly 20% of passwords were compromised in North America in 2022, according to a report from the password-manager company Dashlane.
Many people choose to ignore these warnings, inadvertently placing themselves at a heightened risk of falling victim to cybercrime, security experts say. Some may intend to one day change their passwords, but never get to it.
Some leaked passwords deserve your immediate attention, while others can wait, cybersecurity experts say. Rank them in order of urgency. Then, work your way through the list over time, making sure to keep each password unique and turn on two-factor authentication where you can.
Here’s a closer look at how to find out if your passwords have been compromised—and what your priorities should be once you get the bad news.
Finding your compromised passwords
The most popular web platforms and password managers offer features that tell you if your passwords are compromised on the dark web.
iCloud Keychain: On MacOS, open the Keychain Access application. On iOS, go to Settings > Passwords > Security Recommendations. Review the list of saved passwords. Keychain may display a warning symbol next to compromised passwords and offer an option to change them.
Chrome: Google’s Password Checkup tool will show compromised, reused and weak passwords. Go to passwords.google.com, then Password Checkup > Check Passwords. The site will show you which passwords should be changed immediately, and take you directly to the site.
Microsoft Edge: Go to Settings and more > Settings > Profiles > Passwords to turn on Password Monitor, which will check the passwords saved in the browser against known leaked passwords. If any passwords were leaked, a notification will appear, prompting you to change those passwords.
Dashlane: Dashlane runs security checks on all your saved information once daily and will automatically show you what has been compromised.
You can also kick-start a dark-web check yourself, where Dashlane scans hidden websites for usernames, passwords, credit cards, contact information, Social Security numbers and computer IP addresses. Go to the Dark Web Monitoring section of the app. Select “Start monitoring.” Dashlane will send a notification to your email and a pop-up on the app when any of your personal information shows up.
1Password: Navigate to the Watchtower or Security Audit section of 1Password, to scan your passwords against known breaches and vulnerabilities. The app will identify compromised, weak or reused passwords and suggest changing them.
Which passwords to address, in phases
Phase 1: Your most sensitive accounts
Give priority to passwords for such critical accounts as email, banks and financial institutions, and healthcare-related apps.
“Anything that affects money, your Google, Apple or Microsoft email accounts—scammers are going to try to go after those,” says Craig Lurey, chief technology officer at Keeper Security, a password-management company.
Someone who gains unauthorized access to your email address can find out a lot about your habits: where you work, where you’ve been, when you’re traveling and how much you spend. They can send emails to contacts pretending they’re you. They can lock you out of your email and even attempt to reset passwords associated with your other accounts.
Healthcare apps might show them your medical history and insurance details, which can be used to attempt fraudulent medical claims.
Banks use unseen tools to limit what unauthorized parties can do, but that doesn’t mean scammers can’t slip through the cracks.
“Those are the accounts that can make you or your family have a really bad day,” Pierson says. “Almost everything else can wait.”
Phase 2: Social media
Social-media accounts tend to store personal information, including your name, email address, phone number, location, photos and videos.
If your social-media account is compromised, hackers can misuse this information for identity theft, social-engineering attacks, or targeted phishing attempts. They can send fraudulent messages to contacts. Having someone impersonate you on social media might damage your reputation.
“Having your account taken over is horrible, and you don’t want to have to rebuild the entire 10,000 people that follow you,” Pierson says.
Phase 3: Where you shop
Shopping apps and other accounts that store credit-card information often contain additional personal and financial details, such as billing addresses, contact information and order history.
Hackers could attempt to make unauthorized purchases using your stored payment details. By changing your password, you can effectively block their access and minimize the risk of financial loss.
“There are a lot of fraud protections built in on sites to keep people from using your credit card, but it can still be annoying if someone logs into your Amazon account and changes your password and now you can’t get in,” says Art Gilliland, chief executive of the IT security firm Delinea.
Phase 4: Everything else
Some accounts aren’t as urgent, and you might not have to worry about changing them at all.
Accounts for nonfinancial web services that don’t store sensitive information, such as online forums, news websites or nontransactional platforms, generally carry lower risk, cybersecurity experts say.
Compromised access to these accounts might spark privacy concerns, or an unauthorized person might misuse some account features, but the potential impact is less severe than with accounts that involve financial or personal data.
“Accounts where there’s nothing they can steal, other than knowing you’re reading content, you can care less about those,” Gilliland says.
Loyalty or rewards program accounts might fall into this category because they generally don’t store highly sensitive personal or financial information.
Dow Jones & Company, Inc.
