Punishing users for *possibly* using another site with a breach

I recently received an email that notified me of a forced password reset for one of my online accounts due to the AdultFriendFinder breach.

I DON’T have an AdultFriendFinder account and have never used that site.  Why do I have to reset my password on my social media account? 

Twitter, Tumblr, DropBox, LinkedIn, Spotify and many other companies are all forcing password resets or actively reaching out to users to change their passwords.

Why are they concerned?

  • There are billions of records exposed every year in known breaches
  • That number is increasing. Cyber crime is up by 10% from 2015.
  • The average user has 90 online accounts (active and inactive)
  • Most people use the same password across most, if not all of their accounts.

Because of the reuse of passwords across multiple sites, a breach for one company creates a domino effect for other companies.

Even if your website is not breached, your users are at risk if they use the same password on multiple sites.  Hence, the punishing forced password reset notifications and emails in your inbox asking you to select secure passwords.

After the recent AdultFriendFinder breach, a flurry of these notifications went out.

But why ask me to reset my password when I don’t even have an account with AdultFriendFinder?

Companies don’t know which users have been exposed, so they essentially punish all their users with a forced reset.

What is the solution? 

Facebook has a unique approach to this issue. They surf the dark web, collect data from hackers, take that data and maintain a database of that exposed data.   If one of their user’s  username and password show up in that database, they force a password reset.  They target only the users with known, compromised credentials, which keeps the rest of their users pleasantly unencumbered.

Facebook is huge and most companies do not have the resources to do this themselves.

PasswordPing can help. We do what Facebook is doing for organizations that cannot justify the expense and headcount of a full team of dark web researchers.  We have a massive database of breached credentials and have tools/APIs to notify you if your users’ credentials are known and exposed.

With PasswordPing, you can protect your users, but also be more targeted in your password resets and stop punishing your users with unnecessary password resets.