If you’re a Google Chrome user, you may have received the pop-up alert “Your password was exposed in a non-Google data breach” in your web browser. The alert informs users of any recent security breaches which may have compromised their account passwords.
Read on to learn more about what this alert means for your data security and the appropriate steps to secure your personal data.
What is a Data Breach?
A data breach is a high-risk security incident where sensitive data is compromised by an unauthorized individual. The hacker could exploit this data by accessing, copying, transmitting, viewing, or stealing it.
Data breaches commonly involve the exposure of valuable sensitive information, including:
- Financial information, like credit card numbers and bank account details
- Protected health information (PHI)
- Personally identifiable information (PII), including personal info like full names, addresses, phone numbers, and social security numbers
- Trade secrets
- Intellectual property
Cybercriminals can also discover and exploit existing data leaks and cloud leaks to cause data breaches.
How to Use Password Checkup
There are three ways to access Password Checkup in your Google Account.
- You receive a warning message from Chrome. When you enter unsafe credentials into a website, Chrome will alert you that your username and password have been compromised in a third-party data breach.
- You can access Password Checkup directly here.
- You can access Password Checkup via Password Manager here > Click ‘Go to Password Checkup.’
Once you’re in Password Checkup:
Click the ‘Check Passwords’ button on the Password Checkup page.
Google recommends users update their passwords if:
- The password has been exposed in a data breach
- The password is considered weak
- The password is used across multiple accounts
Google will display the following messages if any of the three issues listed above are found:
- “X compromised passwords”
- “X reused passwords”
- “X accounts using a weak password”
How Do Data Breaches Happen?
Data breaches can occur in a number of different ways – either intentionally or accidentally. There are 8 main causes of a data breach:
7. Physical Theft
How Can I Use Chrome to Check If My Password Was Breached?
First introduced as a Chrome extension in February 2019, Chrome’s Password Checkup checks your username and password against over 4 billion credentials that Google has recognized as unsafe. Similar to haveibeenpwned.com, Google identifies Gmail accounts affected by third-party data breaches and accounts where users are re-using their Gmail passwords, to prevent further compromise.
Google released this feature as part of its broader defense in depth strategy that aims to prevent, detect, and mitigate account hijacking caused by third-party data breaches.
You’ll need to access Password Checkup to check if your login credentials are unsafe and take further action.
What Should I Do If My Password Has Been in a Data Breach?
If your password has been exposed in a data breach, you should immediately change the password on all affected accounts. Data breaches often occur as a means of obtaining sensitive information to commit further cybercrimes, such as identity theft or fraud.
Many countries now have data breach notification laws, which means organizations must inform their customers and immediately resolve breaches. Google’s Password Checkup feature ensures you have additional notification of any data breaches which affect your email account.
How to Change Your Passwords in Password Checkup
To change your password in Password Checkup:
- Click the “Check passwords” button.
- Click the “Change password” button in Password Checkup next to each of the alerts, e.g., “Some of your saved passwords were exposed in a non-Google data breach. You should change them now.”
- Navigate to the site where the breached password is used. Change your password on the website. An “Update password?” pop-up will appear to save your new password in Chrome. Another pop-up will appear with a “Change remaining passwords?” button.
- Click the button to navigate back to Password Manager. You can now repeat the process with the remaining unsafe passwords or exit and resume later by returning to the page.
How to Protect Yourself From Data Breaches
As data breaches are extremely costly to organizations, they are beginning to invest more heavily in data breach prevention mechanisms, such as:
- Ongoing vulnerability and penetration testing
- Malware protection
- Enforcing Zero Trust Network Access (ZTNA)
- Consistent hardware and software updates to patch known vulnerabilities
- Staff education programs
- Use of complete attack surface monitoring solutions
While these techniques help minimize the occurrence of data breaches, they do not entirely prevent them. Smaller-scale data breaches can still occur due to user error.
Individuals should take proactive action to protect themselves against potential entry points for data breaches.
Common data breach mitigation strategies include:
Secure Your Internet Connection
Hackers can use specialized tools and techniques to intercept internet traffic – this is especially easy to do over public wi-fi networks. Securing your internet connection provides an added layer of protection when sharing sensitive information over the web, which helps prevent data breaches caused by accidentally exposed data.
Only use HTTPS sites. HTTP sites run on unsecured connections, which means hackers can eavesdrop on all incoming and outgoing traffic. For example, if you make a payment transaction on an HTTP site, a cybercriminal could steal your credit card details effortlessly. You should only browse HTTPS sites, which require SSL certification, enabling encrypted connections and greater data security.
Use a Virtual Private Network (VPN). A VPN adds an extra layer of protection for internet users by encrypting all sent and received data. VPNs also conceal users’ IP addresses, further anonymizing all incoming and outgoing traffic.
Use Unique Passwords
Using the same password across multiple accounts has a domino effect in a data breach. If your username and password are compromised via one website, they are also compromised anywhere else that uses the same credentials. Setting different passwords across all your accounts ensures that any security issues will likely remain contained to the first compromised account.
Turn on Additional Authentication
Many online account services now offer two-factor authentication (2FA) and multi-factor authentication (MFA). They offer extra security by requiring two or more types of authentication before allowing users access to their accounts.
Gaining awareness of common tactics used to compromise is the first line of defense against accidentally exposing your personal information. You can learn about popular attack vectors, like email phishing scams and malware-infected pop-ups, through online tutorials.
Well-Known Examples of Data Breaches
In January 2021, Microsoft Exchange’s email servers were involved in one of the US’ most significant cyberattacks to date. More than 60,000 companies were affected worldwide, 30,000 of which were based in the US. The attackers were able to gain unauthorized access to emails containing sensitive data by exploiting four zero-day vulnerabilities. The email accounts were connected to a range of organizations, including small businesses and local governments. The software flaw allowed the hackers to remain active in the vulnerable systems for three months.
In April 2021, hackers performed an illegal data scrape of LinkedIn’s user base, revealing the personal details of over 700 million users. This exposure enabled additional cybercriminals to take advantage of the breached data. One threat actor reportedly tried selling a set of LinkedIn data on a public forum for $7000 in Bitcoin.
Between 2013 and 2016, Yahoo was hit by several cyber attacks. A team of Russian hackers exploited Yahoo’s database, stealing records containing personal information from about 3 billion user accounts in total. Yahoo’s delayed reaction to the attack and failure to disclose one of the security incidents to its users resulted in a $35 million fine and 41 class-action lawsuits.
In September 2017, primary credit reporting agency Equifax reported a significant data breach that compromised the publicly identifiable information (PII) of 148 million US citizens. The breach exposed its victims to financially-motivated crimes, including identity theft and fraud. Equifax eventually faced penalties to the tune of $575 million to be paid to numerous authorities, states and territories due to their poor network security.