One of the more interesting features in the Google Chrome browser is to highlight any passwords stored in the browser that have been victims of (known) data breaches. The feature clearly aims to help improve our awareness of any passwords that have been compromised in the hope that this awareness will help people rectify matters.
It’s a problem that research from the University of Michigan suggests is pretty large, with many people oblivious to the fact that their accounts have been compromised. What’s more, this is despite not only the number of very high-profile breaches proliferating but also the availability of tools, such as that within Chrome, to help alert people to breaches.
"Despite the prevalence of data breaches, there is a limited understanding of individuals’ awareness, perception, and responses to breaches that affect them," the researchers explain.
The researchers recruited several hundred volunteers and showed them data from three breaches that involved personal account information from each of the volunteers. Worryingly, it emerged that the volunteers were blissfully unaware of 74% of the breaches containing their personal information.
The analysis also found that far from blaming the platform owners themselves for any data breach, most people placed the blame squarely on themselves. Common reasons were that they thought using the same passwords across multiple sites was to blame, or perhaps signing up for somewhat dubious services in the first place. Just 14% of the participants thought that the reason for the breach was related to external factors.
This is worrying as the blame for nearly all security breaches lies not with the practices of consumers but with the platform owners themselves. While there are undoubtedly things consumers can do to ensure that they are as secure as possible online, it’s important that platform owners themselves shoulder the bulk of the responsibility for ensuring that their users are safe and secure.
Have I Been Pwned?
The researchers utilized the Have I Been Pwned website, which lists around 500 breaches that collectively have resulted in around 10 million compromised accounts. The researchers cite the Identity Theft Resource Center, which suggests that this figure is likely to be a significant under-estimate, as they reported over 1,100 data breaches in the US alone during 2019.
As might be expected, the most common piece of information that was leaked in any breach was the user’s email address, with this followed by the password they used, their username, and their date of birth. Interestingly, however, most of the participants appeared pretty relaxed upon finding that their data had been compromised. They generally appeared far more concerned about any possible leaking of their physical addresses or their phone numbers. It was 50/50 whether awareness of the breach would result in a change in behavior or a change in credentials by the individuals involved.
"While some reported intending to take action, most participants believed the breach would not impact them," the researchers explain. "Our findings underline the need for user-friendly tools to improve consumers’ resilience against breaches and accountability for breached organizations to provide more proactive post-breach communications and mitigations."
Ignorance is bliss
While sometimes this relaxed approach could be down to the services that were compromised being seen as unimportant or because the information in the account was not particularly sensitive, the researchers suggest that a lack of awareness of how leaked personal information could actually be used by cybercriminals is also a significant factor.
These risks include identity theft and credential stuffing, with the problem perhaps compounded by the lack of publicity afforded to the majority of data breaches. Indeed, it’s by no means guaranteed that platform owners themselves will notify users of any breach, with many who are bamboozled by poorly worded communication that seeks to diminish the importance of the matter.
Indeed, the researchers previously analyzed notification letters and found that they often use significant amounts of jargon that easily confuse laypeople and obscure the risks caused by the breach. The findings highlight the importance of platform owners doing a much better job of informing users that their data has been compromised, what it means for them, and how they should respond.
In the meantime, the researchers urge consumers to sign up for an identity monitoring service to give them a degree of insight into the security of their credentials. If breaches do occur, do your best to read any notifications you receive thoroughly to understand the full implications and any support you might be entitled to.
If you suffer from identity theft, then services like the FTC’s identity theft plan can help you on the path to recovery, the first step of which is likely to be changing the password of each breached account and any others that use the same password. When creating your new password, it’s also worth creating a unique password for each individual account, with password managers often an invaluable ally in creating and managing strong passwords.