How To Find and Update Your Compromised Passwords

How Do You Find Out If Your Passwords Are Compromised?

In early 2024, cybersecurity researchers discovered "The mother of all breaches" — a massive data leak that exposed 26 billion records [*]. Compromised passwords are a major threat to your online accounts, and, more importantly, to your financial life and reputation. 

If hackers know your login credentials, they could seize control of your bank account, email inbox, or social media profiles. 

Even more worrying is that 62% of people reuse the same password (or a close variation) across multiple accounts, which means that a single password leak could risk the security of sensitive data in multiple accounts [*]. 

The first step in password security is knowing which credentials have been compromised — and updating them. In this guide, we’ll explore how you can find out which of your passwords have been leaked and the best ways to keep your accounts safe. 

{{show-toc}} 

How Did Your Passwords Get Compromised? 5 Common Risks

Data breaches hit an all-time high during the first quarter of 2024 [*]. When a company’s database is hacked, sensitive data — including passwords — often ends up for sale on the Dark Web. 

For example, a hacked bank account with a balance of at least $2,000 sells for just $65 on the Dark Web [*].

But data breaches aren’t the only means by which passwords get compromised or leaked to the Dark Web. 

Here are some other common ways your passwords get compromised:

• Phishing attacks. Scammers send bogus emails and text messages purporting to be from bonafide organizations like the Internal Revenue Service (IRS) or Amazon. Typically, phishing emails use urgency or scare tactics to make you panic and share sensitive information or click on links leading to fake websites that steal your passwords.
• Imposter scams and other social engineering attacks. Con artists pose as trusted figures, such as tech support or customer service agents, to gain your trust and get you to share passwords or remote access to your computer.
• Credential stuffing, password spraying, and other brute force attacks. Hackers can use lists of stolen login credentials to gain unauthorized access to multiple accounts. These automated attacks can try millions of combinations each day. This is one of the ways that reusing passwords creates serious security issues. 
• Unsecured Wi-Fi networks. Using public or unsecured networks in hotels or airports can expose your login credentials to cybercriminals who hack and monitor network traffic. 
• Spyware and malware. If you click on infected links or download sketchy attachments, hackers can install spyware on your device without your knowledge. This allows them to spy on you or even record keystrokes, including passwords.

Are Your Passwords Compromised? 7 Warning Signs

Many browsers, devices, and password managers warn you if your credentials have been leaked or compromised — but these features aren’t always as reliable as you may be led to believe. 

For this reason, it’s important that you look for warning signs indicating that your passwords have been leaked, including: 

• Password reset emails that you didn’t request. If unauthorized individuals seize control of your email account, they may try to access other associated accounts by requesting a password reset email. 
• You can’t sign into your accounts. It’s estimated that 80% of all hacked accounts are caused by stolen credentials [*]. If your passwords aren't working, and you're sure they're correct, contact the company’s customer support representatives to alert them of a potential breach.
• Changes to your phone number or email address. Hackers may edit your contact information during account takeovers — including your phone number — to bypass multi-factor authentication (MFA) controls.
• You notice changes to your profile. When you discover unfamiliar activity on your account — like new photos, posts, or changes to public information — regard this as a major red flag that someone else has access to your account.
• Your friends or family members ask about “your” unusual messages. If your contacts tell you they’ve been receiving phishing links or spam messages from your social media or email account, you’ve been hacked.
• Unfamiliar charges on your debit or credit card. Thieves often test small purchases before making large withdrawals or transfers, so you must query even small charges that you don't recognize. 
• Unusual IP addresses or browsers in your account history. If you find that someone else has logged in to your account from an unusual browser, device, or location, consider this a huge warning sign.

💡 Related: How Do Hackers Get Passwords? (And How To Stop Them) →

How To Check for Compromised Passwords on Any Device

Remedying your password vulnerabilities is one of the best ways to protect your accounts — but it’s not always easy to uncover all compromised passwords. 

Here’s how to detect compromised passwords across various devices and platforms: 

How to check for compromised passwords on the Dark Web 

Most stolen passwords end up for sale on the Dark Web. For example, in February 2024, the remote access firm AnyDesk revealed that 18,000 user credentials were listed for sale on hacker forums for $15,000 [*]. 

While visiting the Dark Web yourself is risky (as you could expose further information), it’s wise to check your exposure after a data breach.

How to check the Dark Web for compromised passwords:

• Use a free Dark Web scanner. Aura offers a free scanner to check common Dark Web marketplaces for your credentials. While free scanners like this one (or the one provided by HaveIBeenPwned) offer good starting points, they are often less comprehensive than dedicated Dark Web monitoring services.
• Sign up for Dark Web monitoring. Dedicated paid services constantly scan the Dark Web and data breaches to give you the most up-to-date information about hacked passwords. For example, Aura monitors more than 70 pieces of your sensitive information that could have been leaked — such as your Social Security number (SSN), IDs, and phone number. 

How to check for compromised passwords on Chrome, Safari, or Edge

Most modern browsers include built-in password managers to save and automatically fill in (autofill) login credentials when you visit websites. These tools can also sometimes warn you if a password has been leaked. 

How to check for compromised passwords on Chrome:

• Click on the three dots in the upper-right corner.
• Select Settings > Autofill and passwords.
• Select Google Password Manager, and then choose Checkup. The system will quickly identify any at-risk passwords. 

How to check for compromised passwords on Safari:

• Open the Safari browser on your MacOS, and go to Preferences.
• Click on the Passwords tab.
• Enter your user password or use Touch ID. Once you've got access, you’ll see a list of your saved passwords. Any compromised passwords will show a warning symbol, which you can click on to read more information. 
• Follow Safari's security recommendations to secure each account that has a weak or compromised password.

How to check for compromised passwords on Edge:

• Open Microsoft Edge on your desktop or laptop computer.
• Click on the Settings and more (ellipsis) button in the top-right corner.
• Go to Profiles; then under the “Your Profile” section, select the Password option.
• Switch on the toggle to Show alerts when passwords are found in an online leak.
• Select the View results option to enter the Fix leaked passwords page.
• Select Scan Now. If any of your passwords have been found in a data leak, Microsoft Edge will list them with a Change Now option.

💡 Related: Was Your Gmail Account Hacked? Do This! →

How to check for compromised passwords in a password manager

Third-party password managers are more advanced applications than the tools built into your browser. After a data breach, these applications warn you of compromised passwords and may even include a secure password generator to help you create and save new, strong passwords.

How to check password managers for compromised passwords:

• Open the security dashboard. While this step may vary depending on your password manager, you should be able to find the dashboard within your account settings.
• Check for at-risk accounts. In the dashboard, password managers will show which accounts have compromised passwords. For example, in LastPass, you can see all accounts that have weak passwords (or accounts for which you reuse passwords). ‍
• Use the password creation features. The best password managers help you generate and store strong, unique passwords for all of your accounts. You can create virtually impenetrable passwords instantly and never have to worry about remembering them.

How to check for compromised passwords on iPhones and iPads

If you use your iPhone or iPad to autofill and save passwords, you’re already one step ahead of most hackers. By default, iOS-made passwords are 20 characters long and combine uppercase and lowercase letters, numbers, and symbols — making them very hard to crack. 

But this doesn’t protect your other passwords, or stop someone from hacking into your iPhone or iPad. 

Luckily, you can easily check to see if any of the saved passwords on your iOS device have been compromised. 

How to check iPhones and iPads for compromised passwords:

• Review your security recommendations. Go to Settings > Passwords > Security Recommendations on your tablet or smartphone. You'll see a notification if any of your accounts have a compromised password.
• Select an account. The system will prompt you to change the compromised password. Tap on Change Password on Website to continue and secure your account.
• Update your login credentials. Tap on Change Password, and then create your new password on the website or mobile app.

💡 Related: What Is a Password Spraying Attack (How To Protect Yourself) →

How to check for compromised passwords on Macs

Mac computers can also help you identify any saved passwords that have potentially been breached. 

How to check Macs for compromised passwords:

• Click on the Apple icon in the top-left corner of your screen. 
• Then, select System Preferences > Passwords (the button with a key icon).
• Sign in with your Mac’s password. You can use the same password that you use to log in to your computer.
• Finally, select the account you wish to update in the left sidebar, and choose Change Password on Website.

How to check for compromised passwords on Androids

All Android phones have the same password manager as Google Chrome because they share the same databases. Any passwords that you save on your Android phone or tablet will automatically be saved to the Google data repository. 

How to check Android devices for compromised passwords:

• Go to Settings, and tap on Google.
• Tap on Manage your Google Account > Manage your account in Android.
• Scroll left, and tap on Security; then scroll down the list, and tap on Password Manager.
• Tap on Password Checkup. If you have any compromised passwords, you’ll see notifications here. Reused and weak passwords are highlighted, so you can make updates before anyone hacks your accounts. 

💡 Read more: How To View Your Saved Passwords on Any Device →

How To Create Strong Passwords and Secure Your Accounts

Once you’ve identified your compromised passwords, it’s important to update them with the strongest possible credentials. 

Here are eight steps to improve your account security:

• Make it unique. Many people reuse the same password on multiple accounts, which means a hacker could easily take over several accounts upon discovering the password. Make sure every account has a different password.
• Make it long. Go beyond the minimum eight-character standard to create passwords containing 10-15 characters. 
• Make it hard to guess. Rather than choosing obvious password options such as a birthday or pet's name, consider using passphrases with no direct connections to your life.
• Use a mix of characters, cases, special characters, and symbols. Your password doesn't have to be a logical phrase. It is more difficult to crack if you use a random sequence of numbers, letters, and characters.
• Don’t follow easy keyboard paths. The classic patterns of “123456” or “qwerty” are overused and easily guessed.
• Avoid common substitutions. Hackers have a dictionary for brute force attacks that includes thousands of commonly used passwords. It's best to avoid simple variants like "pa$$word" — as these obvious substitutions are easy to crack.
• Use a password manager. It's hard to remember passwords — especially when you have dozens of online accounts. You can create and store unique, complex login credentials for every account with Aura’s secure password manager.
• Enable two-factor authentication (2FA). When you add a second verification factor to your accounts — like biometrics or a hardware security key — you have backup security even if your password is compromised.

💡 Related: How To Remember Passwords (and Secure Your Accounts) →

The Bottom Line: Weak Passwords Can Put You at Risk

Hackers are constantly looking for new ways to break into online accounts — and with data breaches surging, even secure passwords can be leaked. 

Relying on your browser’s built-in password manager is better than nothing; but for the best protection and peace of mind, choose Aura. 

Aura’s all-in-one digital security platform offers a wide range of Safe Browsing tools — including a military-grade VPN and a robust password manager that safeguards your login credentials and online accounts against hackers and identity thieves across all browsers and devices. 

Keep your passwords, identity, and finances safe. Try Aura free for 14 days.