Data breach victims aren't changing their passwords

News
By published

Yet another reminder to always change your password after a company reports a data breach

(Image credit: Shutterstock)

A new study by academics from Carnegie Mellon University's Security and Privacy Institute (CyLab) has revealed that only a third of users actually change their passwords after a data breach announcement.

The study, titled “(How) Do People Change Their Passwords After a Breach?”, is not based on responses from survey participants but on their actual browser traffic. To compile their study, the academics analyzed real-world web traffic collected by the university's opt-in research group Security Behavior Observatory (SBO) which collected the full browser history of those who signed up for the purpose of academic research.

The research team then used information collected from the home computers of 249 participants between January 2017 and December 2018. This dataset not only included web traffic but also the passwords used to log into websites and those stored in participant's browsers.

By analyzing this data, the academics found that only 63 of the 249 users had accounts on breached domains that had publicly announced a data breach during that time. According to CyLab, only 21 (33%) of these 63 users visited the breached sites in order to change their passwords. To make matters worse, of these 21 users, only 15 changed their passwords within three months after the data breach announcement.

Password security

As the SBO also captured the user's password data, the CyLab team was able to analyze the complexity of the users' new passwords.

The research team revealed that of those who changed their passwords, only a third changed them to a stronger password. The rest of the users created passwords of weaker or similar strength and many reused character sequences from their previous password or used passwords that were similar to their other online accounts.

While the study shows that users are still not receiving proper education when it comes to password security, the researchers argue that the hacked services are also to blame as they rarely tell users to reset their similar or identical passwords on their other accounts.

If you're worried about your own password security, you can visit Have I Been Pwned to see if any of your online accounts have been involved in a data breach. If this is the case, you should change all of these passwords immediately and make sure that your new passwords are both strong and complex.

Via ZDNet

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Latest in News
Zendesk Relate 2025
Zendesk Relate 2025 - everything you need to know as the event unfolds
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Google Gemini AI
Gemini can now see your screen and judge your tabs
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Philips Hue
Philips Hue might be working on a video doorbell, and according to a new report, we just got our first look at it
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
More about security
An abstract image of digital security.

Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft

"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Ugreen \00d7 Genshin Impact Kinich Collectible Gift Box and exclusive Genshin Impact merchandise.

Ugreen reveals exclusive Genshin Impact collection and they're some of the most eye-catching charging products I've ever used
See more latest
Most Popular
Ugreen \00d7 Genshin Impact Kinich Collectible Gift Box and exclusive Genshin Impact merchandise.
Ugreen reveals exclusive Genshin Impact collection and they're some of the most eye-catching charging products I've ever used
Zendesk Relate 2025
Zendesk Relate 2025 - everything you need to know as the event unfolds
Google Gemini AI
Gemini can now see your screen and judge your tabs
iFi iDSD Valkyrie in gold, on a beige desk
iFi's iDSD Valkyrie DAC wants to guide your music to the great hall of Valhalla
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
A fresh Samsung Galaxy S25 Edge leak hints at a 2K display and a titanium frame
Philips Hue
Philips Hue might be working on a video doorbell, and according to a new report, we just got our first look at it
SDUNITED AX835-025FF mini PC
This mini PC with the incredible Strix Halo APU is yet another sign AMD may have given up on big brands for bleeding edge tech
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited