Hundreds of Thousands of People Are Using Passwords That Have Already Been Hacked, Google Says

New ‘Password Checkup’ Chrome extension found 1.5 percent of all website logins use compromised credentials, a figure that’s higher for porn websites.
Image: Sergei Vasputin/Getty Images

A new Google study this week confirmed the obvious: internet users need to stop using the same password for multiple websites unless they’re keen on having their data hijacked, their identity stolen, or worse. It seems like not a day goes by without a major company being hacked or leaving user email addresses and passwords exposed to the public internet. These login credentials are then routinely used by hackers to hijack your accounts, a threat that’s largely mitigated by using a password manager and unique password for each site you visit. Sites like "have I been pwned?" can help users track if their data has been exposed, and whether they need to worry about their credentials bouncing around the dark web. But it’s still a confusing process for many users unsure of which passwords need updating. To that end, last February Google unveiled a new experimental Password Checkup extension for Chrome. The extension warns you any time you log into a website using one of over 4 billion publicly-accessible usernames and passwords that have been previously exposed by a major hack or breach, and prompts you to change your password when necessary. The extension was built in concert with cryptography experts at Stanford University to ensure that Google never learns your usernames or passwords, the company says in an explainer. Anonymous telemetry data culled from the extension has provided Google with some interesting information on how widespread the practice of account hijacking and non-unique passwords really is. The company’s full study, available here, is being presented this week as part of the USENIX Security Symposium in Santa Clara, California. “Since our launch, over 650,000 people have participated in our early experiment,” Google told Motherboard in a statement. “In the first month alone, we scanned 21 million usernames and passwords and flagged over 316,000 as unsafe—1.5% of sign-ins scanned by the extension.”


Users opted to ignore 81,368—or 25.7 percent—of the breach warnings presented to users, the study found. The researchers surmised this could be due to the fact that users were confused by the warning and reset process, didn’t think a reset was worth their time, or weren’t fully in charge of the impacted account (the impacted account was a shared household account). The study also found that while users often remember to change passwords for major sites, they’re two and a half times more likely to reuse vulnerable passwords everywhere else, opening them to account hijacking threats. A previous Google study found that 15 percent of internet users have had their email or social media accounts hijacked by a third party.

This latest study found that the risk of hijacking was highest for video streaming and porn websites, where between 3.6–6.3 percent of logins relied on breached credentials. That number was much lower for financial and government sites, where only 0.2–0.3 percent of logins involved compromised login information, Google found.

Google says it’s hopeful that secure, centralized, and democratized access to password breach alerts can help nudge otherwise oblivious internet users to updating their credentials.

In concert with the study, Google says it’s releasing two new features for the Password Checkup extension, including the ability for users to submit comments should they run into any issues with the tool, as well as the ability to opt-out of telemetry data the extension collects, including the number of alerts a user receives and whether it prompted a password change.

Google also says it’s working on ways to bring the same technology to Google products. “People hear about breaches all the time (unfortunately) and I imagine they feel a bit helpless because they don't even know if they've been affected; hopefully this is a way to reassure them,” a company representative told Motherboard.