Google research says thousands are using passwords that have been hacked

16 Aug 2019

Image: © beebright/

After rolling out its Password Checkup extension, Google found that hundreds of thousands of people were using already hacked passwords.

How often do you change your passwords and how worried are you about them getting hacked? Given how flimsy some of the world’s most common passwords are, it would appear that some users aren’t wholly concerned with the possible threat posed by hackers.

Yet new research from Google may give you pause if you’re using a years-long password. The company debuted its Password Checkup extension for Chrome, which displays a warning whenever users sign in with one of the 4bn usernames and passwords known to be unsafe as a result of third-party breaches.

Future Human

Around 650,000 people have used the service since it was first rolled out and Google has been tracking the usage. In a study released yesterday (15 August), the internet giant said that after scanning 21m usernames and passwords it flagged more than 316,000 unsafe sign-ins in the first month alone, which accounts for 1.5pc of all sign-ins scanned by the extension.

“Based on anonymous telemetry reported by the Password Checkup extension, we found that users reused breached, unsafe credentials for some of their most sensitive financial, government and email accounts,” the report stated.

“This risk was even more prevalent in shopping sites where users may save credit card details, [as well as] news and entertainment sites.”

The company’s study, available here, will be presented in full as part of the USENIX Security Symposium in Santa Clara, California.

In the past few weeks, a number of high-profile data breaches exposed customer data the world over. Users of custom retail website CafePress may have had their passwords exposed after it suffered a data breach in February 2019.

Financial corporation Capital One also suffered a hack that targeted the personal information of customers and people who had submitted credit card applications. It is said that as many as 100m customer applications were affected.

Websites such as Have I Been Pwned are a resource for users to check whether or not their information has been compromised and, if so, what information.

Eva Short was a journalist at Silicon Republic