Is your password loose “in the wild”?
Change your password right now. If the notice came via email, don’t click any links therein.
Then come back here to understand why.
There are two different scenarios that could be at play here: one very serious, and one not as serious but still important. And of course there are scams, which are also important to sidestep.
Become a Patron of Ask Leo! and go ad-free!
I'm told to change my password
If you’re told to change your password by your device or by a service you use, it’s important that you do so. The password may be “in the wild” and available for hackers to try against your specific account or in attempts to hack into other accounts you and/or others may have. How it was exposed may not even be related to you, but it’s important to act on the notification anyway.
The most serious scenario is that the service telling you to change your password has been compromised. Normally they force a password reset, but some simply advise you to do so as soon as you can.
It’s critical that you do so.
There are two likely scenarios:
- The service was breached and actual passwords were part of the breach. This means that the password you used is now “in the wild” and could be used by hackers to hijack your account.
- The service was breached, and while no passwords were exposed, the service is recommending password changes out of caution.
In either case, change your password.
Do this by going to the service online yourself — either typing in the URL or using your own bookmark — signing in, and following their password-change procedure. Do not click on a link in an email to get there.
Many security products, and even devices and operating systems, keep track of the passwords you enter and check them1 against databases of passwords that have been previously exposed.
Let’s say you use the password “FunTimes1945” on some service somewhere. You may be told that this password has been exposed in a data breach and you should change it.
Here’s the thing: It might not be your account or your usage of the password that was exposed. Someone else may have used the exact same password on some service somewhere else that was breached.
Regardless, that password is now “in the wild”, and hackers will try it with other usernames, possibly including yours, at services all over the internet, possibly including services you use.
You should change that password wherever you use it.
Once again, do this by going to the service online yourself — either typing in the URL or using your own bookmark — signing in, and following their password-change procedure.
Hackers know that many people live in fear of their accounts being hacked. They prey on this fear by sending fake compromise notifications to get you to click on their links to fake sites so they can capture your sign-in information.
- You get an email informing you that your password on service X has been compromised, and you should change it.
- The email includes a link to service X to change your password.
- You click that link and go to service X’s sign-in page.
- You sign in with your existing password, expecting to then change that password.
- You’ve just handed your sign-in credentials to a hacker.
The issue is that the link provided is not to the service at all, but to a fake sign-in page that looks like the service.
This is why I’ve repeated above the importance of not clicking the link provided in email notifications, but going to the service yourself by typing in the URL or using your own bookmark. That way, you know you’re signing in to the service you think you are.
What if it was a fake? What if you followed my instructions above, went to the service yourself, successfully avoiding the phishing attempt, and changed your password when you didn’t really need to?
There’s no harm in changing your password when you don’t really need to. The reverse is not true: there is definitely potential harm if you need to change your password and don’t.
When in doubt, change your password.
While you’re at it, make it long, strong, unique, and used for one and only one service.
After doing so, subscribe to Confident Computing, my weekly newsletter helping you reduce frustration and gain confidence by providing solutions, answers, and tips in your inbox every week.