Password breach warning on HL?

Prism

Chordeiles said:

Just had this as I logged into Hargreaves Lansdown.  My password is long, random-looking and (as far as I can remember) issued by HL themselves.  Happily HL now have the extra security of sending a code to my mobile.
My main security concern is now that Google are spying on my passwords to provide this service !  I certainly don't ask Chrome to store passwords for me.

Google are not spying on your passwords. Chrome uses a hashing process to covert any username and password combo that you use into hash (basically a unique list of characters) which it then encrypts and sends to Google. They compare that to a database of username and password combos (also hashed in the same way) which they collect from company breaches. If there is a match then you get the alert.

george278

I have recently started to get this error message. I still get it despite changing my password and secure number. So I've phoned HL and they advised me that my account is safe and not to worry about it.

Prism

I would take a guess that Chrome is incorrectly picking up the email address and date of birth on the first login page and assuming that is the password.

Chordeiles

Prism said:
Google are not spying on your passwords.

I do understand what you are saying.  But trust comes in different forms.
Thus:  Do I believe that Google are a malicious organisation that deliberately harvest my data for purposes I wouldn't like ?  No, I don't.
But:  Do I trust Google's software to be squeaky clean and unhackable ?  No, I don't.
So Google's kind initiative to make me feel safer would appear to have backfired.

masonic

Chordeiles said:

Prism said:
Google are not spying on your passwords.

I do understand what you are saying.  But trust comes in different forms.
Thus:  Do I believe that Google are a malicious organisation that deliberately harvest my data for purposes I wouldn't like ?  No, I don't.
But:  Do I trust Google's software to be squeaky clean and unhackable ?  No, I don't.
So Google's kind initiative to make me feel safer would appear to have backfired.

Regardless of this new feature, when you log in to a website, you are giving the web browser your login details. If you don't trust that there is sufficient security to prevent that data being 'hacked', then you should not use the web browser. The feature can be turned off, but you can't avoid the web browser processing your login information. Creation a cryptographic hash with which to check against a breach database is by no means the most vulnerable aspect of typing in those details.

TBC15

From HL
Thanks for getting in touch.

We’d like to point out that our clients have no reason to be worried. No data has been accessed and we welcome the announcement by Google to increase its security measures - this is a good thing.

Hargreaves Lansdown takes the security of its clients’ accounts extremely seriously. We are fully committed to providing a secure home for our clients’ investments, and as such, security is always at the forefront of our endeavours.

We agree that regularly changing your password can be one of the simplest yet most effective defences against unauthorised access to your account.

If you have any other questions, please get back to me.

Best regards

Steven Jarosz
Hargreaves Lansdown

RedMonty

I just got this warning myself.

Have changed my HL password. You need to be prepared for any company to suffer a breach and not find out about it till a while later.  There are various websites run as a public service by security researchers who collect lists of leaked / stolen passwords, and allow people to check if their passwords have been leaked. Chrome / password managers do this automatically for you.  I use my password manager to store over 600 passwords (various websites, myself, my family, my work) and update as needed.

I use the non-subscription version of 1password - I hate subscriptions and the non-sub version meets my needs. I also keep an annually updated paper printout of the most important passwords in a fireproof safe (cheap from Amazon) and my partner & brother have the keys.  Important to consider what happens if you get hit by a bus one morning.  

Some useful quotes below.

MaxiRobriguez said:

It's a valid warning. It's not saying you've done anything wrong but that at some point, somewhere on the internet, someone has used the username/password combination as an authentication to a site, and that site leaked that authentication data to a malicious actor.

Whilst your HL account is unlikely to be accessed, you should still change your password as it is a risk that you can mitigate easily. Use a random generator for your next password.

Thank Chrome for the service rather than ignore it!

Prism said:

Google are not spying on your passwords. Chrome uses a hashing process to covert any username and password combo that you use into hash (basically a unique list of characters) which it then encrypts and sends to Google. They compare that to a database of username and password combos (also hashed in the same way) which they collect from company breaches. If there is a match then you get the alert.