Chrome "Change your password" pop-up

[CryptoPlankton]

Using Chrome, I logged in to my HL account on my mobile a couple of days ago, only to be greeted by a pop-up stating the following:

"CHANGE YOUR PASSWORD

A data breach on a site or app exposed your password. Chrome recommends changing your password on online.hl.co.uk now"

While on the site, I changed both password and "security number" before logging out. Today, on my PC, I have logged in and received the same message again. I have found this ongoing thread discussing the issue (begun in December last year) on Google Chrome Help which has really left me none the wiser:

https://support.google.com/chrome/thread/23534509?hl=en

Both the original password and the new one used on this site were unique to it and have not been saved on Chrome.

Does anyone have any experience of this or any thoughts about it please?

(I have been thinking of changing browser for quite a while!)

[stacker512]

There was a discussion about this on the MSE forums, but I'm not allowed to post links. It's in the "Savings & Investments" section with title "Password breach warning on HL?"

Appeared to be a Chrome / Google warning, and not actually a data breach.

[Breelander]

There was a discussion about this on the MSE forums, but I'm not allowed to post links. It's in the "Savings & Investments" section with title "Password breach warning on HL?"

Appeared to be a Chrome / Google warning, and not actually a data breach.

You need to have made a few more posts before you can post links. I've found the link and can post it for you....

https://forums.moneysavingexpert.com/di ... ning-on-hl

[stacker512]

Correct, that's the one. Thanks for posting the full link.

I've not had any such warnings so far on Firefox - I suspect there was a bug or a mistake with how Chrome was handling the warning for HL, but I admit that I don't know much about how it all works.

It's prudent to make sure the password used for HL was unique and perhaps even change the password if one is concerned about the password being already leaked - I know one of my old passwords was leaked after I discovered it in the haveibeenpwned website (totally legit website run by a well-respected security researcher).

[Stompa]

It gets a mention here:

https://www.hl.co.uk/security-centre/cu ... romepopups

[MaraMan]

I had the same message and was inclined to ignore it, but took the safety first approach and changed the passwords.....and I still get the same pop up message

MM

[Infrasonic]

I wonder if the issue here is that Chrome is suggesting changing the passwords of any site that has had a data breach (like HL), rather than specific plain text/unencrypted password breaches + accounts?

Whilst plain text passwords have been exposed there's also a lot of encrypted stuff floating around out there on the dark web which isn't associated with any accounts and ultimately isn't of any real use to criminals unless they can un-encrypt it and tie it to the specific user accounts (which is where social engineering/phishing et al becomes dangerous).

When you see the gross numbers on sites like HIBP it can be scary until you realise there's a lot of duplication of data sets, part of the ruse with selling it on the dark web is the opacity of what's actually in it.
It's not like you are going to get a refund when it turns out to be useless...

[Lanark]

The reason you are getting the warning is because your password appears somewhere in one of the many leaks of compromised passwords.

In itself thats not too great a risk, an attacker could have those lists of millions of compromised passwords, but they would still have to try a lot of combinations to find the one associated with your login.

What is more of a concern is that someone somewhere managed to pick exactly the same password as you did - that is a very strong indication that you are using a password which is not strong enough.

In 2020 you should be using a password which is at least 15 characters long and not containing any dictionary words
e.g. something like EVvrcWZKSIuBsyZk9z7l

Good passwords are impossible to remember, so use a password manager to do that for you.

[Stompa]

I wonder if the issue here is that Chrome is suggesting changing the passwords of any site that has had a data breach (like HL), rather than specific plain text/unencrypted password breaches + accounts?

I don't think so. I access HL using Chrome and have never had the warning.

[UncleEbenezer]

I wonder if the issue here is that Chrome is suggesting changing the passwords of any site that has had a data breach (like HL), rather than specific plain text/unencrypted password breaches + accounts?

I don't think so. I access HL using Chrome and have never had the warning.

Likewise.

It may depend on how much chrome knows about you, the user. If it knows who you are (low privacy settings), then it can match you to databases of leaked passwords and issue a warning. But so long as the leak wasn't H-L themselves[1], nothing to worry about unless you're so dumb as to re-use the same password elsewhere. Chrome doesn't know that.

[1] If H-L had leaked, I expect we'd have heard about it.