How to Tell if Your Password Has Been Compromised
June 2024
How to Tell if Your Password Has Been Compromised

Generating a unique, random password and storing it in your password manager is, without question, a smart way to protect an online account. But it is, by no means, enough protection. Every year, billions of records are exposed in data breaches, creating a growing market across the dark web for stolen login data. Hackers use this data over a wide range of sites to compromise your services, credit, banking—most every aspect of your life. We’re here to tell you how they do this, and what you can do to stop them.

What can hackers do with your password?

Hackers use your stolen login data in a form of cyberattack known as ‘credential stuffing’. Here’s how that works:

  • A hacker loads up a database with as many usernames and passwords as possible.
  • Those login credentials are fed into an automated hacking tool that works to unlock a website.
  • The more credentials the hacker has, the more potential ‘keys’ they can use to ‘unlock’ your account.

Credential stuffing is so prevalent that the great majority of logins on retail sites comes not from customers, but rather from hackers trying to access their accounts.

Access your other online accounts

Once a hacker has used ‘credential stuffing’ to get into one online account, they can try those login credentials on other sites, and sometimes get lucky. Millions of people use recycled usernames and passwords on different sites. And if that doesn’t work, hackers can attempt what is called a ‘brute force attack’, firing off multiple variations of your original credentials at a site till one hits the mark. And if that doesn’t work, they are not out of options. Compromising a single online account not only allows a hacker to make fraudulent purchases in your name, but it also gives them access to:

  • Your payment information
  • Your personal information

This means they may now have one of your credit or debit card numbers, along with your phone number, email address, billing address, shipping address, even date of birth. More than enough to provide a possible pathway into your financial accounts.

Access to your financial information

With one debit card number and your basic personal information, a fraudster has the tools they need to gain access to your banking with:

  • Fake banking apps: Most banks have an app that you can log into and check your account. This gives hackers a way to manage your money. They create a perfect replica of your bank’s app. Notify you via SMS text to download this new version. Once you’ve done that, and then enter your username and password, those credentials are sent to the hacker.
  • Mobile banking Trojans: These are not replications of a bank’s official app. Instead, they are free, unrelated apps you are invited to download which contains a ‘Trojan’ that scans your phone for banking apps. When you launch that banking app, the malware inserts a screen that looks identical to the app you just opened. Once you log in, your credentials are uploaded to the hacker.
  • ‘Phishing attack’: Once a hacker has your credit card or debit card number and your email address, they can email you a notification that not only looks like it is from your credit card company or bank, but the return address will also seem real, unless you inspect it closely. This is a form of cyber-attack called ‘phishing’ and the email will ask you to clarify a charge or withdrawal by simply clicking on a link and signing into your account. Of course, once you do, the hacker has your login credentials.
  • Keyloggers: Let’s say you hit that link sent in the phishing email.
    But did not go any farther. Unfortunately, just by hitting that link you may have unleashed a type of malware called a ‘keylogger’, which will simply record whatever you are typing and send that to the hacker. So – if you type in your banking address, then your login credentials, guess who now has that, too?

Access to your family & friends

‘Keyloggers’ and other malware can create different kinds of mischief, as well. If you access your personal contacts on your computer, a hacker can access them at the same time, and now they have a new treasure trove of names, phone numbers, and email addresses to exploit, using the various types of cyber-attacks listed above.

Check to see if you were part of a data breach

Obviously, you’d like to prevent any of your login credentials from being exposed, but unfortunately, you can’t stop a data breach. However, you can find out if your passwords were compromised via a breach, thanks to an ingenious Microsoft regional manager named Troy Hawkins.


In 2013, Hawkins created the Have I Been Pwned searchable data breach database, which is currently the most popular way to find out if your password has been stolen. You simply enter your email address or username, and details about any data breaches that involve your credentials will appear. You don’t have to worry about further credential compromise because the passwords that correspond to your email address are not stored in the database.

Unusual logins on online accounts

Beyond HaveIBeenPwnd.com, there are other signs that will tell you your credentials have been compromised. Be on the lookout for unusual or failed logins on your accounts. These can include:

  • Logins at an unusual time or location
  • Logins from a number of different locations
  • Logins from new devices
  • Numerous unsuccessful login attempts

Being locked out of your accounts

Numerous unsuccessful login attempts will usually trigger the site’s fraud protection system, and you will be locked out of your own account. Obviously, if this wasn’t you attempting the login, you know your credentials have been compromised. Contact customer support to have your account unlocked.

Unusual social media activity

Keep an eye on your social media accounts as well for unusual messaging and posts that ask friends for money, or promote a particular link, that may unleash malware onto your unsuspecting community.

What to do next

Once you’ve determined your login credentials have been compromised, you’ll want to take immediate steps to restore the integrity of your passwords, and then ensure that your personal information is protected from now on.

Change your passwords

There are numerous password generators online which create passwords that are unique and random. Use one of these generators to replace all your passwords.

Use a password manager

Next, store those unique/random passwords in a password manager, which is essentially an encrypted digital vault that stores all the login information you use to access your apps and accounts. You won’t have to remember what password works for what account, the password manager will do that for you.

Help protect your information with IDShield

Last, but certainly, not least is protecting your personal information. IDShield monitors your Personally Identifiable Information (PII) from all angles, and if your identity is stolen, we provide full-service identity restoration to restore your identity to its pre-theft status. To help ensure that your private information remains private, our online privacy and reputation management services let you take back control of your personal data. From scanning and monitoring social media accounts for reputation-damaging images and harmful content to providing a VPN, malware protection and password manager, IDShield offers the peace of mind needed in today’s digital world.