Today I created an online account (a financial website), using a new password that I have never used before (and nothing like any password I've used before). It's a moderately strong 12 character password including random lower case alphabetic and numeric characters, capitals and symbols. The login process is two steps: 1. username and date or birth then if this is successful 2. password and selected characters from a security number On submitting the above, I get a warning from Chrome: "A data breach on a site or app exposed your password. Chrome recommends changing your password on xxxx.yy.co.uk now." Given (1) this is a new, moderately strong password, (2) the combination of the password and security number changes each time I login and (3), the website haveibeenpwned.com/passwords says "no pwnage found" for this new password, I'm surprised to say the least. Could Chrome have this wrong, or could it be complaining about some other combination of data used during the two step login process? Is there any way to check?
One possibility is that Chrome is just detecting that a prior breech occurred on this web site and advising that you change your password because of this. Since this is what you have already done, I would ignore any subsequent wanings.
First of all, the thread title might indicate to some readers that Chrome has been hacked or breached. Second, this is definitely a security setting in Chrome. Users can leave it turned off if they are not in favor of browsing data being sent to Chrome.
Many thanks everyone! Sorry about the title - can I change it? I've done some further testing. If I change the username, I still get a warning from Chrome for this password on the same website. However, the offending username / password combination on a different website doesn't result in a warning from Chrome. I also read somewhere that there are false positives from Chrome if a website uses passport.twitch for authentication. To help re-assure me, given my testing above: Is it reasonable to assume a moderately strong, new password, which haveibeenpwned.com doesn't indicate is hacked, is OK, so this warning from Chrome is incorrect in that the password clearly has not been exposed? It is either a false positive or it is because of a previous breach related to the domain of the financial institution (online.hl.co.uk). Would you contact the financial institution to raise this issue? Do you think there is a significant risk from having this password checking service from Google enabled in Chrome? I use a separate chromebook laptop solely for accessing financial accounts. This uses a google account that I use nowhere else, has a separate (strong) password from all my other laptops and accounts, and employs two factor authentication via a security token. It doesn't even save my google account email address: I enter it along with the strong password and insert my security token (which I carry with me) every time I use the laptop. I don't use the laptop for anything else. So, given this "false positive", would it be safe enough to disable this google password checking on this laptop?
It's okay, probably just me. I don't believe it is the password that Chrome is reacting to, it is the website. Thus, changing passwords has no effect on the warning. I would, definitely. But I would also be prepared for either denial or inconclusive responses, i.e. I envision them not owning it (no pun intended). More so than significant risk, I just don't want the open data stream between me and Google. As I see it, it is too blatant. I try to plug those holes, not open them wider. But that's a personal preference, and I'm sure others have valid opinions.