Google Chrome

Google is adding a built-in data breach notification service to the Chrome browser that will alert users when they are logging into sites with credentials that have been exposed by breaches.

With the constant leaks of account credentials from data breaches and the rampant password reuse commonly seen among users, data breach notification services were created to alert users when their email addresses were included in a data breach.

One of the more popular services is Have I Been Pwned and Mozilla partnered with them to launch a Firefox Monitor service that is being integrated into the Firefox browser.

Not to be outdone, Google also recently launched a new data breach service through their Chrome Password Checkup browser extension, which when installed would alert users if their user names and passwords were compromised when they log into a site.

Through the use of the Password Checkup extension, Google conducted a study that estimates 1.5% of all logins have been compromised in data breaches. This study also showed that 26% of users who were shown a data breach notification, changed their password.

Chrome to get built-in data breach notification

As this study showed that providing notifications of compromised login credentials was beneficial to users, Google is now building this support directly into the Chrome browser.

While this new "Password protection" feature is not fully developed yet, Google Chrome bug posts [1, 2, 3, 4] give us some insight into how the feature will work.

When the password protection feature is enabled, a new option will appear in the Google Chrome password manager that allows you to toggle on and off the compromised login detection feature.

Password protection feature
Password protection feature

For this feature to work, a user must first be logged into the browser. Once logged in, when the user successfully logs into a site with credentials that have been seen in multiple data breaches,  Chrome will display the following "Data breach reported" alert.

Credentials found in multiple breaches
Credentials found in multiple breaches

If the credentials were only exposed in a data breach for a particular site, the notification will be slightly reworded to include the name of the site.

Exposed in single data breach
Exposed in single data breach

It is not currently known what the "Check passwords" button will do, but it may bring the user to a page describing the breach and recommending a stronger password.

For enterprise users, Google will be adding a new policy titled "PasswordLeakDetectionEnabled" that will allow administrators to disable the password protection feature in Chrome.

Enabling the password protection feature

While this feature is still being developed, some of the user interface elements are in place in the Chrome 78 Canary build behind a flag.

To enable the Password Leak feature, you can go to chrome://flags and search for leak. When the "Password Leak Detection" flag is shown, set it to Enabled and relaunch the browser when prompted.

Password Leak Detection flag
Password Leak Detection flag

Once Chrome has restarted, you will see the new feature under the browser's password manager.

H/T Techdows.com

Related Articles:

20 million Cutout.Pro user records leaked on data breach forum

Chipmaker Nexperia confirms breach after ransomware gang leaks data

Hacker claims Giant Tiger data breach, leaks 2.8M records online

AT&T now says data breach impacted 51 million customers

Google fixes one more Chrome zero-day exploited at Pwn2Own