Unexpected data breach warning from Chrome

Discussion in 'other security issues & news' started by apwood, Oct 3, 2020.

  1. apwood

    apwood Registered Member

    Joined:
    Oct 3, 2020
    Posts:
    2
    Location:
    Sheffield, UK
    Today I created an online account (a financial website), using a new password that I have never used before (and nothing like any password I've used before). It's a moderately strong 12 character password including random lower case alphabetic and numeric characters, capitals and symbols.

    The login process is two steps:
    1. username and date or birth
    then if this is successful
    2. password and selected characters from a security number

    On submitting the above, I get a warning from Chrome:

    "A data breach on a site or app exposed your password. Chrome recommends changing your password on xxxx.yy.co.uk now."

    Given (1) this is a new, moderately strong password, (2) the combination of the password and security number changes each time I login and (3), the website haveibeenpwned.com/passwords says "no pwnage found" for this new password, I'm surprised to say the least.

    Could Chrome have this wrong, or could it be complaining about some other combination of data used during the two step login process?

    Is there any way to check?
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,377
    Location:
    U.S.A.
    One possibility is that Chrome is just detecting that a prior breech occurred on this web site and advising that you change your password because of this. Since this is what you have already done, I would ignore any subsequent wanings.
     
  3. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,679
    Location:
    USA
    First of all, the thread title might indicate to some readers that Chrome has been hacked or breached. Second, this is definitely a security setting in Chrome. Users can leave it turned off if they are not in favor of browsing data being sent to Chrome.

    Chrome safe browsing setting.JPG
     
  4. apwood

    apwood Registered Member

    Joined:
    Oct 3, 2020
    Posts:
    2
    Location:
    Sheffield, UK
    Many thanks everyone! Sorry about the title - can I change it?

    I've done some further testing. If I change the username, I still get a warning from Chrome for this password on the same website. However, the offending username / password combination on a different website doesn't result in a warning from Chrome.

    I also read somewhere that there are false positives from Chrome if a website uses passport.twitch for authentication.

    To help re-assure me, given my testing above:

    Is it reasonable to assume a moderately strong, new password, which haveibeenpwned.com doesn't indicate is hacked, is OK, so this warning from Chrome is incorrect in that the password clearly has not been exposed? It is either a false positive or it is because of a previous breach related to the domain of the financial institution (online.hl.co.uk).

    Would you contact the financial institution to raise this issue?

    Do you think there is a significant risk from having this password checking service from Google enabled in Chrome?

    I use a separate chromebook laptop solely for accessing financial accounts. This uses a google account that I use nowhere else, has a separate (strong) password from all my other laptops and accounts, and employs two factor authentication via a security token. It doesn't even save my google account email address: I enter it along with the strong password and insert my security token (which I carry with me) every time I use the laptop. I don't use the laptop for anything else. So, given this "false positive", would it be safe enough to disable this google password checking on this laptop?
     
  5. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,679
    Location:
    USA
    It's okay, probably just me.

    I don't believe it is the password that Chrome is reacting to, it is the website. Thus, changing passwords has no effect on the warning.

    I would, definitely. But I would also be prepared for either denial or inconclusive responses, i.e. I envision them not owning it (no pun intended).

    More so than significant risk, I just don't want the open data stream between me and Google. As I see it, it is too blatant. I try to plug those holes, not open them wider. But that's a personal preference, and I'm sure others have valid opinions.
     
  6. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,679
    Location:
    USA
    Mind telling us which website?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.