What should I do if my online passwords are compromised?

We explain how to get your security back on track when your online passwords are compromised.

Sunday, 12 May, 2024

There are few aspects of life where people are more likely to deviate from official best practice than password management.

We’ve previously written about their role in data breaches, how hackers use compromised passwords, and the role they play in protecting WiFi networks.

Yet despite plentiful information on how to improve online password security, the value of one time passwords and the merits of password managers, this remains a common point of weakness.

After all, the average internet user is reported to have an average of 240 online accounts requiring dedicated login credentials.

It would be hugely challenging to use a different combination of uppercase and lowercase letters, numbers and symbols for each account, let alone remember them without carrying a notepad around.

Abbreviated reminders in bookmark lists may help to jog your memory, but you’d still need impressive recall to avoid accounts being frozen after several incorrect login attempts.

To avoid the nightmare of resetting passwords, many of us reuse them across multiple accounts – which compounds matters when online passwords are compromised…

Help! My online passwords are compromised!

If you’re reading this after receiving a warning from your chosen web browser or finding your details on the Have I Been Pwned website, a previously used password has been compromised.

Typically, it’ll have been published in a mass online list of user data, obtained through hacking, corporate incompetence or a deliberate leak.

Other reasons why online passwords are compromised include undetected malware, a phishing attack or leaving an account logged in on a publicly accessible device.

Regardless of its cause, the outcome is the same. Your email address (and possibly a username or phone number) has been linked to an active password.

This means anyone could attempt to use these login credentials to access websites, apps, programs and online services.

Specialised bots will repeatedly attempt to log into websites using databases of compromised user credentials, in what’s known as a brute force login attack.

If any of those combinations provide access, criminals can run amok within your accounts – plundering personal data, making purchases, even locking you out while committing fraud in your name.

They will also try numerous other websites once a valid username-and-password combination has been identified on one site, potentially causing exponentially more damage.

Fighting back

Firstly, visit the website/s identified as part of the data breach, and reset your password to something completely different.

It’s no use changing one character or adding a 1 at the end. The original login code and any derivations need to be expunged.

Scroll through your bookmarks or favourites list (ideally on a desktop computer) and identify any other sites where that password might also have been used.

Repeat the process of logging in, changing your password and logging straight back out again.

As you systematically work through a list of potentially compromised sites, apps and services, ensure password reminders (such as in bookmarks) are amended to reflect the new login credentials.

Do the same with filled form data in your chosen web browser, to ensure cookies store updated login details for regularly visited websites.

You should also investigate potential causes of the data breach. If you haven’t been using two-factor authentication, for instance, now’s the time to start.

You might also want to invest in a password manager, which will generate almost uncrackable passwords and deploy them on your behalf while browsing the internet.

Neil Cumins author picture


Neil is our resident tech expert. He's written guides on loads of broadband head-scratchers and is determined to solve all your technology problems!