Google Password Checkup extension - Hargreaves Lansdown data breach?

JSmith321

I use the Google Password Checkup extension on my browser which warns about any recent data breaches. I logged onto Hargreaves Lansdown and got a pop-up warning me that the site had a recent data breach and that I should change my password. Anyone else seen this - can't find anything on the web.

Zanderman

JSmith321 said:

I use the Google Password Checkup extension on my browser which warns about any recent data breaches. I logged onto Hargreaves Lansdown and got a pop-up warning me that the site had a recent data breach and that I should change my password. Anyone else seen this - can't find anything on the web.

Can't help except to say that on a quick google it seems many people report the same issue - not with HL but with Google Password Checkup. It seems fond of suggesting data breaches with no info on where or when the breach occurred, if indeed it did.  And if it did it might be at your end, not at HL's end as teh extension gives no details on the nature of the alleged breach.. And some are false alarms, apparently.  
See, for example, https://support.google.com/accounts/thread/24254335?hl=en 

RedMonty

I just got this warning myself.

Have changed my HL password. You need to be prepared for any company to suffer a breach and not find out about it till a while later.  There are various websites run as a public service by security researchers who collect lists of leaked / stolen passwords, and allow people to check if their passwords have been leaked. Chrome / password managers do this automatically for you.  I use my password manager to store over 600 passwords (various websites, myself, my family, my work) and update as needed.

I use the non-subscription version of 1password - I hate subscriptions and the non-sub version meets my needs. I also keep an annually updated paper printout of the most important passwords in a fireproof safe (cheap from Amazon) and my partner & brother have the keys.  Important to consider what happens if you get hit by a bus one morning.  

Some useful quotes below.

MaxiRobriguez said:

It's a valid warning. It's not saying you've done anything wrong but that at some point, somewhere on the internet, someone has used the username/password combination as an authentication to a site, and that site leaked that authentication data to a malicious actor.

Whilst your HL account is unlikely to be accessed, you should still change your password as it is a risk that you can mitigate easily. Use a random generator for your next password.

Thank Chrome for the service rather than ignore it!

Prism said:

Google are not spying on your passwords. Chrome uses a hashing process to covert any username and password combo that you use into hash (basically a unique list of characters) which it then encrypts and sends to Google. They compare that to a database of username and password combos (also hashed in the same way) which they collect from company breaches. If there is a match then you get the alert.

saver_ali

I’ve had a very similar thing with my iPad recently, and it kept saying that there had a been a data leak on many of the sites/apps that I use. When I checked this out it seems that the new version of iOS has new additional features and it checks whether your password has been the subject of a leak anywhere in the world. There is a global list of passwords that have been leaked, and if you use one of the passwords on that list you will get a warning. It doesn’t mean that you have been a subject of a leak (although you could have), but someone who uses the same password has had it leaked.

All my financial apps/sites have multiple security requirements when I log in, including HL, so there is hopefully less chance of a leak from them.🤞

tony_matthews

This may just be a bug in the google password checker. When you login, one of the 'masked' fields is your date of birth. This probably looks like a password to the checker and it may be looking this up and finding a list with lots of 6 digit numbers that hackers might use in a brute force attack.
You need other information to login to your HL account, so guessing your DOB does not give a hacker access to your account. Of course, if you are at all worried, change your password anyway.

webjaved

Use a password manager to store passwords and enable 2FA where possible, ensure that passwords used are not easily memorable as malicious hackers can grab the password quite easily.

Doshwaster

I've also had the same problem with the HL site. I changed my password to one not used elsewhere and I still see the error occasionally. Looks like the Google hacker checker is being a little too sensitive with HL as I haven't seen the alert anywhere else.

DrSyn

Browser Password Managers are not so secure as dedicated Password Managers such as Keepass XC,1Password or Bitwarden.
Hope you have been using 2FA, such as Yubikey or Authy and salting your passwords on sensitive sites. If so I think you should be OK.
These may be of interest to you.
https://haveibeenpwned.com/
https://haveibeenpwned.com/Passwords

masonic

Doshwaster said:

I've also had the same problem with the HL site. I changed my password to one not used elsewhere and I still see the error occasionally. Looks like the Google hacker checker is being a little too sensitive with HL as I haven't seen the alert anywhere else.

The trouble is, like anything analysing the webpages you visit, it won't be 100% accurate in classifying parts of a webpage, and will sometimes classify something as a password that isn't. It would be helpful if you could get it to display the thing it thinks is a password when it pops up the alert.