SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Google's new Chrome feature warns about compromised logins
Fri, 8th Feb 2019
FYI, this story is more than a year old

This week Google released new measures in a bid to provide better security for its users' data.

Announced in a blog post, the global giant asserts they're always striving to ensure all data is secure, whether its users are consuming Google products or checking out their favourite websites and apps.

It's two latest updates designed to keep data secure are Password Checkup, and Cross Account Protection.

Beginning with the former, Password Checkup is a Chrome extension that works to protect accounts from third-party data breaches by proactively detecting and responding to security threats.

The company already automatically resets the password on Google Accounts if it detects they may have been compromised in a third-party data breach (a measure the company asserts reduces the risk of an account being hacked by a factor of 10), but this feature operates is a little different.

With the Password Chrome Extension, Google can detect if a username and password combination on a site you use is one of over 4 billion credentials it knows have been exposed. It will then trigger an automatic warning and suggest that you change your password.

Of course, there is the issue then of where Google stores all this information, but the company says it has it covered.

“We built Password Checkup so that no one, including Google, can learn your account details. To do this, we developed privacy-protecting techniques with the help of cryptography researchers at both Google and Stanford University,” the blog reads.

“This is our first version of the Password Checkup, and we'll be refining in the coming months. You can take advantage of these new protections right away by installing the extension.

And now for Cross Account Protection. In a worst-case scenario measure where a hacker has been able to find their way into a Google Account, the company has a number of tools designed to get users back to safety. However, these protection methods haven't extended to the apps that users sign into with Google Sign in.

“Cross Account Protection helps address this challenge. When apps and sites have implemented it, we're able to send information about security events—like an account hijacking, for instance—to them so they can protect you, too.

And again to protect user privacy, Google has designed the security events to be extremely limited, sharing only:

  • The fact that the security event happened

  • Basic information about the event like whether a user's account was hijacked or Google forced a user to log back in because of suspicious activity

  • Information with apps where users have logged in with Google

“We created Cross Account Protection by working closely with other major technology companies, like Adobe, and the standards community at the Internet Engineering Task Force (IETF) and OpenID Foundation to make this easy for all apps to implement,” the blog post reads.

“With technologies like Password Checkup and Cross Account Protection, we're continuing to improve the security of our users across the internet, not just on Google. We'll never stop improving our defenses to keep you safe online.

Of course, there are already a number of freely available services on the internet similar to Google's Password Checkup like Have I Been Pawned, the Identity Leak Checker and Firefox Monitor, that offer to check if your credentials or other personal details have been compromised in one of the numerous breaches that occur every year.