You might have encountered the following warning when trying to create a new account on a WordPress website, or when changing the password of an existing account:
“Warning: This password has been found in (X) data breaches. Please choose a different password.”
This message appears due to an active security measure on the website where you tried to register, which is designed to prevent accounts from being hacked due to the use of previously breached credentials.
What does this warning mean?
If you’ve received this warning, it means that the password you have entered has previously been exposed in known data breaches.
The warning does not mean that your Account on this specific WordPress website has already been compromised, but it indicates that the password you’re trying to configure has been found in lists of passwords from other websites that experienced security breaches in the past.
Why is this important?
Reusing a password that has previously been exposed in data breaches greatly puts your account at risk. In fact, the use of previously compromised credentials is one of the more common causes for WordPress accounts getting hacked.
Hackers often use lists of breached passwords to attempt “credential stuffing” attacks, which involves trying known/breached passwords on various websites. If you re-use the same password across multiple sites, a breach on one site could compromise your accounts on others. Choosing a unique password that hasn’t been involved in known breaches therefore greatly reduces the risk of unauthorized access to your account.
What can you do to prevent this?
If you encounter this warning, the website where you’re trying to register has enforced the requirement for all users to select strong, unique passwords which do not appear in any known data breaches. To proceed with the registration and create a secure password, you can follow these steps:
- Choose a different password: Ensure that you create a new, unique password that you have not used on any other websites.
- Enter a strong password: Use a combination of uppercase and lowercase letters, numbers, and special characters. We recommend to aim for at least 12 characters; but longer is even better.
- Consider using a passphrase: Instead of a single word, try using a phrase that’s easy for you to remember (but hard for others to guess).
Frequently Asked Questions
If I see this message, does this mean that my Account has been hacked?
No, this simply means that the password you’ve chosen has been found in previous data breaches from other websites.
Why can’t I use this password, even though I have never used it before?
Even if you’ve never used this password, it has been exposed in data breaches. As hackers often try known breached passwords on various accounts, this puts your account at risk.
Is my password being sent to a third-party service when I try to register an account or change my password?
No, your full password is never transmitted to any third-party service. We use a highly secure method (read more) to check if your password has appeared in known data breaches.
- We take only the first 5 characters of a specially encoded version of your password (called a “hash”).
- This small piece of information is compared with HaveIBeenPwned’s database of known breached passwords.
- The database returns a list of partial matches.
- Our system checks if the password matches any items in this database, all without ever sending the actual password anywhere.
This process ensures that your password remains private and secure, whilst still allowing us to check if it has been compromised in past data breaches.