This may sound over-dramatic, but I don't think it is; there are few things that…
A customer just received an eMail from Google with the above subject line – and wanted to know if it was legit (and if they needed to do anything). The eMail from Google is legit; but the answer to the question of whether or not anything needs to be done is “it depends”.
Basically the way it works is:
- Google knows your eMail address (no surprises there).
- Google knows a lot of the passwords that you use for various sites – and the sites that you use them on – because you tell Chrome to remember them for you.
So what Google do as a free service is compare your address with the addresses of sites that have had security compromises – and let you know if there’s a match. From there they can help you identify which passwords are associated with the breached data – and thus other sites that they know about where you use the same password.
If you want to check manually then there’s a great site to help with that: https://haveibeenpwned.com/
The problem is that many people use the same passwords (and by default the same eMail addresses) for multiple sites – so the answer to the “do I need to do anything” question is: “it depends on what password was used” and “if the site is still needed”.
I’ll give you some scenarios.
- If the passwords you used for the identified site(s) weren’t used anywhere else – and you don’t care/don’t use those two sites anymore then you don’t really need to do anything (although it still might be a good idea to change it to prevent any information being revealed).
- If the passwords you used for the identified site(s) WERE used for other sites then the bad guys can now pretend to be you on all those sites (accessing everything you can access and possibly even changing your password to lock you out — depending on whether they do that directly or via an eMailed password change link). If this is a problem then you need to change the password for ALL the sites that used these passwords … NOT JUST THE IDENTIFIED SITES (<– that bit is important).
- If the passwords you used for the identified site(s) weren’t used anywhere else – but you do still use either of these sites then all you need to do is change the passwords on these sites.
The Google security check can help identify what other sites use these passwords … but only if they know about them; if Google Chrome hasn’t been told to remember it then you’re just as vulnerable … but Google won’t know about them. So it’s helpful, but not all encompassing.
It’s a problem we see quite often; someone says something like “my gMail account got hacked” or “my Outlook account got hacked” when in reality it didn’t – it’s just that they used the same address and password on 50 different sites – one of those sites had a data breach that revealed their address and password … which the bad guys then tried on every other common site (automatically) to see what they can get into … hence the reason it’s REALLY a good idea to have unique passwords for each and every online account; it limites the damage that can be done to just the 1 site.
Fundamentally the seriousness can range from “no issue at all” to “really serious stuff”. The most important thing is to protect your bank account and – thankfully – the banks usually have that covered off quite well (but it’s still worth thinking about). Next most important thing is to protect your eMail account (because it’s the usual way that people recover “lost” passwords).
Google (and many other sites) support multi-factor authentication – requiring a code sent to your phone (or other ways) to verify that it’s you trying to get in – I highly recommend setting that up (and setting up recovery codes at the same time so you can’t get locked out). If multi-factor authentication is turned on – and the bad guys get your username and password – they still can’t get in … and I like to joke that if they have your username and password and phone and PIN/face to get them into your phone then … you’ve probably got bigger things to worry about!
Hope this helps someone.