Skip to main content

Breached Passwords

Overview

ChargeOver is taking further steps to ensure your data is protected by checking for breached passwords. You will be informed if the password you logged in with was involved in a data breach of some other company, so that you can immediately change your password and secure your account.

What it means to have a breached password

If your password was breached, that means it was exposed to the public in a security incident of some other service, and others could access it. This doesn't necessarily signify that your ChargeOver account was compromised, but it does put your account at risk. Someone with malicious intent could access your breached password, and try to access your account. They could also try to access other accounts with that breached password, since many people tend to reuse passwords. If you find that your password was breached, it's vital to change it to something more secure right away.

How we check for breached passwords

Once you log into ChargeOver, HaveIBeenPwned is used to check if the password you entered was involved in a data breach. Nobody can access your actual password, not even during this password check. Only the first 5 characters of an SHA-1 hash of your password are sent to HaveIBeenPwned.

HaveIBeenPwned is a trusted third party, supported by the FBI and the UK's National Crime Agency (NCA). It was built by Troy Hunt, a Regional Director and Most Valuable Professional at Microsoft, who has also spoken internationally on information security. HaveIBeenPwned was built to help people easily and freely be able to see if they've had information leaked in a data breach. Learn more.

Here's how the process works:

Steps

  1. You successfully log into ChargeOver

  2. Behind the scenes, the prefix (first 5 characters) of your password hash are automatically sent to HaveIBeenPwned

  3. HaveIBeenPwned searches through a data set of passwords that were previously leaked in data breaches, looking for ones with a hash prefix matching the prefix of your password hash. If there's a match, the suffix (remaining characters after the first 5) of that matching hash from the data set is added to a list, along with how many times it was seen. HaveIBeenPwned then sends ChargeOver back that list. You can learn more about this process and see an example here

  4. ChargeOver checks the returned list to see if any of the password hash suffixes match the suffix of your password hash. If there's a match, that means your password was involved in a data breach, and ChargeOver will immediately prompt you to change it to keep your account safe

    info

    If you are shown this prompt, you will need to click Send password reset email and change your password, in order to proceed into ChargeOver.

How to see where your data was breached

When a password is found to be breached, there is no information given regarding where it was leaked. ChargeOver can only see whether the password was breached or not.

To see where your data may have been breached, enter your email in HaveIBeenPwned. They will tell you if your email was seen in any data breaches, and where. They will also specify what data was compromised, such as email addresses, passwords, etc. You may be able to get an idea on where your password was leaked by finding passwords in the compromised data for places your email was breached.