/chrome/community?hl=en
This content is likely not relevant anymore. Try searching or browse recent questions.
I am getting a popup message saying that "A data breach on a site or app exposed your password.
3
I am getting a popup message saying that "A data breach on a site or app exposed your password. I have deleted all my saved passwords and still get this message on some sites.
Details
Pinned
Locked
Latest Update Latest Updates (0)
Relevant Answer Relevant Answers (0)
All Replies (560)
Relevant Answer
Am getting the same thing. Changed password, got same worrying pop up with new password.
marked this as an answer
Relevant Answer
Same here. Changed all my passwords. I just hope it’s not a scam 😟
marked this as an answer
Relevant Answer
Is this a scam or legit?
marked this as an answer
Relevant Answer
same here, what is the reason of this ?
marked this as an answer
Relevant Answer
I got it too. going to leave google for good.
marked this as an answer
Relevant Answer
Is this happening via the Google Chrome web browser, or another web browser? 
have you installed a browser extension related to this? 
marked this as an answer
Relevant Answer
it was when i went into my google browser
marked this as an answer
Relevant Answer
This happened to me yesterday. I suddenly could no longer login into my battle.net account even though the credentials were typed correctly since I use them almost every day. After recovering my password and logging in on the website this error popped up, I'm a bit concerned lol.
marked this as an answer
Relevant Answer
THIS HAPPENS IN THER GOOGLE BROWSER.
marked this as an answer
Relevant Answer
As this is a Google Chrome related issue, likely due to an extension, I’m transferring this post to the google chrome support forum
marked this as an answer
Relevant Answer
I would treat it as suspicious until further notice...and don't change anything!
marked this as an answer
Relevant Answer
This is a genuine feature of Chrome built into the latest version. It used to be an extension but now is part of the core browser. If you get this message you need to follow the instructions.
marked this as an answer
Relevant Answer
It's legit (i.e. really from Chrome).  My Chrome browser last updated about a week ago [to 'Version 79.0.3945.88 (Official Build) (64-bit)] and I got the popup for the first time today (when logging into DropBox). I found this article: https://lifars.com/2019/08/google-will-warn-you-if-your-credentials-were-exposed/ from August indicating that 'Password Checkup' is a new Chrome feature,  a security service that Google released the beta version of in February. It became widely available as an extension in August and Google indicated then that it was planning to build it directly into its Chrome browser. The article explains what it is and how it works...
marked this as an answer
Relevant Answer
Just got one too, not going to follow it up on it now.
marked this as an answer
Relevant Answer
I got one also. i'm a web developer, i was just testing my site then i got the error, i thought i had done something wrong 😐
marked this as an answer
Relevant Answer
same here, it said 68 of my passwords have been exposed on a third party site.  WHAT THE F !?!?!?!??!

GOING TO BRAVE BROWSER FOREVER
marked this as an answer
Relevant Answer
can it show you where the brreach was?
marked this as an answer
Relevant Answer
Same here, why has it only just started doing this? and how can i find out which app may have breached it?
marked this as an answer
Relevant Answer
I am psychiatricly disabled & do not understand much of what is said here.
I don't understand the the world the way most people do.
Your patience & understanding for us disabled is greatly appreciated.
Does anything truly need to be done?
Please explain what this means in more simple terms.
Please provide exact instructions if we chrome customers need to do anything.
Thank you.
marked this as an answer
Relevant Answer
This happened to me after I noticed that my username and password for the specific site I wanted to log in was displayed in the browser on my first attempt to log into the site. I felt something was wrong, and I don't think it has to do with chrome extension.
marked this as an answer
Relevant Answer
Ok so I recently downloaded the Hulu App and an App called Relax Melodies before getting this notice. Does anyone else know if they downloaded one of these two Apps recently? I know it's a reach but I need to know what's going on.
marked this as an answer
Relevant Answer
Weird... i downloaded relax melodies on my phone recently too
marked this as an answer
Relevant Answer
Another f***ing popup!
marked this as an answer
Relevant Answer
i got the same, can google also tell where it was compromised or what app leaked this ?
marked this as an answer
Relevant Answer
I don't care that it is from Google. If they know it is a data breach, then they know which accounts are affected. Telling people they have to change all passwords because one may have been breached is not going to result in more security. These breaches are on a regular basis so if you do not know which one is affected then you will force people to change what could be 50 passwords a week. People will end up keeping lists that are a risk in themselves or ignoring the messages. If they want to be actually helpful they will name the sites with the breach.
marked this as an answer
Relevant Answer
Sean, I agree with you. A vague message with no detail is useless!
marked this as an answer
Relevant Answer
My question is where did the breach come from. In the past when there have been breaches like this it has made the news and there have even been settlements in some cases. There are only two possible culprits- Google or whatever website you're on that it is prompting you to change the password for. Can we get more info about what happened and how Google knows about it?
marked this as an answer
Relevant Answer
I am getting the same pop up on every single site I visit where I have an account - hundreds of sites! Who is responsible for the data breach, when was it "breached" and by whom and to whom?  I am subscribed to a site called Have I been pwned https://haveibeenpwned.com/ which always advises about data breaches but nothing has come recently. So how about an explanation from someone?
marked this as an answer
Relevant Answer
Yes, same here. May I know which site holds my passwords? It just seems ridiculous to me because I only use the password within the company's intranet, and I only use the feature "remembering passwords" provided by Chrome. Does something happen on Chrome side?
marked this as an answer
Relevant Answer
So, let me see if I have this right. Google is warning me that one (or more I suppose) of the 96 (yes, that's what I said NINETY SIX) accounts I created over the years had a data breach, not identifying it, or indicating any other details and I am now expected to change the username/password to 96 different username/password combinations.  This is the most ridiculous example of 'solution looking for a problem' that I've seen in 20 years of Internet usage. No one is going to do this, and even if they do, it seems the popup still has a reasonable chance of recurring regardless.  So people are just going to turn it off in their settings.

It's clear to me that this is nothing more than Google avoiding litigation down the road. Now that they have the technology to do this, they have to implement it, otherwise they could certainly be open to liability in the event a serious breach occurs. Forcing the user to turn it off themselves neatly transfers the liability to the individual. 

Problem solved. At least for Google.

What a farce.
marked this as an answer
Volunteer since 2011 (not a Google employee)
Relevant Answer
@Brian -- Not quite. Google is warning you to change your password for sites/apps where you use the same email/username and password you just entered when you see the warning. If that means you have to change 96 passwords, best practice has strongly encouraged people not to use the same password across different websites for some time now.
marked this as an answer
Relevant Answer
WheyI click on change password in the pop up window it takes me to a list in Google of all thy compromised websites and then I change the password in all of them. Do you mean there’s more that google won’t know about?
marked this as an answer
Relevant Answer
I've been getting this as well and changing passwords (including Google itself) hasn't helped. The way it works seems confusing and too general to be helpful. If you have hundreds of passwords, do you have to change them all? Is it safer not to let Chrome store passwords?
marked this as an answer
Volunteer since 2011 (not a Google employee)
Relevant Answer
@Larry -- As I mentioned above, the new message is a warning about the username/email and password combination that you just entered. That combination has been compromised in a breach of a website/app. What that actually means is you need to change your password on all websites/apps where you are using the same username/email and password combination, so no you do not need to go change all your passwords necessarily. 
 
Is it safer not to let Chrome store passwords?
No, letting Chrome store them is actually safer as Chrome will suggest random, strong passwords for you and securely store them for you, so you don't have to remember them. That solves the issue of reusing passwords and means you have a strong unique password for each website.
marked this as an answer
Relevant Answer
     Ann - I agree, david.king's answer is confusing, and I'll get to that in a minute. But first I'm going to clarify something you said for others' benefit...
     Google does not take you to a list of all your compromised websites; it takes you to a list of all the websites for which you use the exact same login and password as the one(s) that was compromised. For example, in April it was discovered that evite.com's database archive going all the way back to 2013 had been breached. Hackers stole the usernames (logins) and passwords of everyone who had an evite account at any time between 2013 and 2019. As is true for many websites, evite.com uses your email address as your username. So imagine your email address is GoogleReallySucks@gmail.com and your password for evite.com is YahooSucks2. The hackers got that information and they will try to use that username/password combination to log into walmart.com, facebook.com, bankofamerica.com, ticketmaster.com, etc. So, even if walmart and facebook weren't breached, you still need to change your password for any of those sites for which you also use the username GoogleReallySucks@gmail.com and password YahooSucks2.
     What I explained above is why using a unique (different) password for every website is recommended. That way if one gets stolen, all your other accounts will still be safe. Obviously remembering 50 or 100 different passwords and which you used for which site is impossible. So password managers have been developed to help with this. PC Magazine has published its list of top password managers for 2020. The top ones that you have to pay for (between $10-60) are here: www.pcmag.com/roundup/300318/the-best-password-managers and the top free ones are here: www.pcmag.com/roundup/331555/the-best-free-password-managers.

      A couple other useful tidbits: 
- for those wanting to know exactly which website(s) was breached, haveibeenpwned.com is a useful site. It also has an FAQ section that can answer some basic questions folks have about breaches (what a 'sensitive breach' is, why you might be notified that your email address was breached on a service you never signed up for, etc.).
- for those wishing to turn off/disable this new security feature in Chrome...In Chrome, go to Settings (click on the 3 vertical dots at the top right of your browser) and under 'People' you'll see 'Sync and Google services'. Click on the arrow to the right of that to expand it. Scroll down a bit and under 'Other Google services' you'll see 'Warn you if passwords are exposed in a data breach' (for me it's the 4th one down). Click on the toggle to turn it off.

      Now back to the confusing part of david.king's answer... David, you said:
"Other websites
Google does not know which other websites you use this same username/email and password combination with, so cannot show you that data. I don't believe it integrates with your saved passwords in Chrome so that doesn't help here either."
      It is Chrome that's giving us the message/warning. Obviously Chrome *does* know what other websites we use that username/password combination for. How else would it be able to provide us with a list of 68 or 96 or whatever websites where a change is needed? As Ann asked, are there potentially other websites where a change is needed? And, if so, any suggestions on how to identify them?
marked this as an answer
Relevant Answer
Verdammt Mal - did you get the answer you needed? If not, let me know and I'll provide it.
marked this as an answer
Volunteer since 2011 (not a Google employee)
Relevant Answer
@Nicole I've not seen that part of the messaging so happy to be corrected on that part - thanks!
marked this as an answer
Relevant Answer
Clearly you didn't actually read my post. Try again.
marked this as an answer
Relevant Answer
I had this pop up, which took me through to a page displaying which sites had a potential breach. 

However, once I navigated away from that page it disappeared and I haven't been able to find the list of potential breaches again. What exactly should I look at, within my Google account, to see this again?
marked this as an answer
Relevant Answer
I received the msg as well. I changed my password and I continue to get the msg on the same site.
marked this as an answer
Relevant Answer
I'm glad this search for the same question I had was able to help me figure out what happened. I signed into a website today that has an old password I didn't realize I hadn't changed yet on it so I'm glad I was able to figure it out. As soon as I changed the password the noticed went away. I'm not sure how to find out if there are other rogue websites I've used in the past with the same email and password combo but they would be outdated with incorrect cards linked to them if there were any so I'm not sure if I need to be concerned or not about those.
marked this as an answer
Volunteer since 2011 (not a Google employee)
Relevant Answer
@Tim Gratton -- The popup is the only place where this is surfaced at the moment I believe, so you would need to regtrigger the notice to see that info again. As an aside, you can use Password Checkup in your Google Account, where you can conduct a scan of your saved passwords anytime.
 
@Ryan 4917 -- If after changing your password, you still see the warning, that can only mean that username/email and password combination has also been breached and you should change it.
marked this as an answer
Relevant Answer
Yeah Ill change it again. 

Username is unique to this site. Doesn’t use an email. I don’t use the same password for any site. Even the new password is unique.  Also when I get the prompt it only happens when I sign into chrome under one gmail account. If I sign into the same site signed into chrome with a different email address i dont get the prompt. In all cases i dont have my password saved into chrome.
marked this as an answer
Relevant Answer
@Tim Gratton - Go to your password manager (passwords.google.com) and click on 'Check passwords' or just go directly to passwords.google.com/checkup/. Once you've verified your identity (provided your password) you'll see a screen that looks similar to this:
We analyzed your saved passwords and found the following issues
 
71 compromised passwords
Change these passwords now
 
205 reused passwords
Create unique passwords
 
174 accounts using a weak password
Create strong passwords
For me, when I click the 'dropdown menu' arrow it says "50 accounts with the same username and password are at risk" then lists those 50 sites/accounts. Next it says "14 accounts with the same username and password are at risk". Then 4, then 2. I checked my username and password for those last 2 and they're identical to one another. This is in line with what I said earlier - my passwords weren't compromised on 71 different sites, rather my password was compromised on a handful of sites (haveibeenpwned.com says 12, which is still alarmingly high) but I used the exact same username/password combos that were compromised on those 12 sites on 59 other sites as well and hence need to change all of them. 

@Ryan 4917 - maybe try going to your password manager like I explain above? Maybe the reason will be clear once you see that? ...I'm just spit-balling here. FWIW, you can read a sort of press release from Google about all this here: www.blog.google/technology/safety-security/password-checkup/ ...don't know if that'll be any help either.  ¯\_(ツ)_/¯

Edit: @Ryan 4917 - I hadn't seen your most recent post when I wrote the reply above. One other thing to maybe consider (again, just spit-balling. I'm definitely not an expert...which is why what follows is wordy - I don't know the technical terms)... I have 2 accounts associated with 2 emails - a @yahoo.com and a @gmail.com. When I'm using Chrome and on any Google-related webpage there are 2 colored circles containing my first initial (N) at the top right of the browser - one on the same line as the url and the icons of my add-ons (ad-blocker, adobe, etc); this is my Chrome account (I think). The other circle is just below the first one, next to the Google apps icon (9 dots arranged in a square); this is my Google account (I think). I can switch accounts in Google OR I can switch accounts in Chrome. And there's a different set of saved passwords in each Google account (assuming I don't have that backward), but which Chrome account I'm in doesn't matter. My point being, you say you tried signing into Chrome under 2 different email addresses. Have you tried signing into Google with 2 different email addresses?
In any case, good luck and let us know if you figure out what's going on.
marked this as an answer
Relevant Answer
your URL for checkup does not work (https://passwords.google.com/checkup/).  I get an error:  "404. That’s an error.  The requested URL was not found on this server. That’s all we know."
marked this as an answer
Relevant Answer
This is happening to me repeatedly.  I keep getting logged out of facebook and now another app.  i keep changing the password and it keeps coming up, so changing the password actually does nothing as I can't identify what is causing this.
marked this as an answer
Volunteer since 2011 (not a Google employee)
Relevant Answer
 
@Tamara_Kil -- This feature doesn't log you out of websites, so that must be a seperate issue. If after changing your password for a website, you still see the warning, that can only mean that username/email and password combination has also been breached and you should change it.
marked this as an answer
Relevant Answer
@Rich Lysakowski - I kinda suspected it might. That’s why I also suggested navigating to it by 
going to passwords.google.com then clicking on 'Check passwords'. If that still doesn’t work, well, maybe try David.king’s suggestion?
marked this as an answer
Relevant Answer
Same here. I deleted all the stored passwords in my account and now I can not find in which web sites I have to change the password
marked this as an answer
Relevant Answer
same here - changed all passwords but some are still saying there is a risk
marked this as an answer
Relevant Answer
I keep getting this. So that means my passwords were always compromised before this "feature" was introduced and I didn't know about it? Please more details about the breach.
marked this as an answer
Relevant Answer
Shouldn't there be a way to 1) ignore this message and 2) change/delete the compromised passwords in bulk? I now apparently have 90 of these and if I want to continue using Chrome without apocalyptic messages popping up every time I'm logging into a site I have to spend my evening changing every single one. Thanks Chrome, appreciate the concern, but if this is going to be a regular instalment going forward I'm done saving passwords.
marked this as an answer
Relevant Answer
Looks like Chrome is beng over eager with this message. As others have done I changed my password on pretty much all websites I log in too and surprise surprise I'm still getting this pop up message - every time. Perhaps our Platinum Product expert would like to comment/?
marked this as an answer
Relevant Answer
Is Chrome not secure?  If so then we should stop using Chrome as our browser surely?
marked this as an answer
Relevant Answer
For what it's worth.  This is a c*ck up of epic proportion.  I can't even remember my google password as I've had to change it so many times.  This is a fantastic way to scare the cr@p out of people so much so that I feel I should close all these accounts, switch off all electronic devices and plant mealies in my back garden to earn a living.

Does anyone have a viable solution to this problem?  I too have many accounts and to have a different password for each account just isn't viable without having an app that will apply the passwords from a secure location (Maybe a piece of paper is now the best solution).  Nothing online seems to be secure anymore, including the camera on your computers and mobile devices.  What is stopping these guys from stealing info from Google or any other site for that matter?
marked this as an answer
Volunteer since 2011 (not a Google employee)
Relevant Answer
As a number of you are reporting still seeing the message, even after changing your password/a number of passwords, I've shared your feedback with the Google Chrome community team and other product experts. That doesn't guarantee a response but just wanted to let you know that your feedback or issue has been shared.
marked this as an answer
Relevant Answer
Why the F@$k does Google know the userID/Password of my bank account?!  I do not allow Chrome to save passwords.
marked this as an answer
Volunteer since 2011 (not a Google employee)
Relevant Answer
@Malokai -- Google does not know that, period. I shared the link to this information above but here is how it works:
  • Whenever Google discovers a username and password exposed by another company’s data breach, they store a hashed and encrypted copy of the data on their servers with a secret key known only to Google.
  • When you sign in to a website, Chrome will send a hashed copy of your username and password to Google encrypted with a secret key only known to Chrome. No one, including Google, is able to derive your username or password from this encrypted copy.
  • In order to determine if your username and password appears in any breach, Google use a technique called private set intersection with blinding that involves multiple layers of encryption. This allows Google to compare your encrypted username and password with all of the encrypted breached usernames and passwords, without revealing your username and password, or revealing any information about any other users’ usernames and passwords. In order to make this computation more efficient, Chrome sends a 3-byte SHA256 hash prefix of your username to reduce the scale of the data joined from 4 billion records down to 250 records, while still ensuring your username remains anonymous.
  • Only you discover if your username and password have been compromised. If they have been compromised, Chrome will tell you, and we strongly encourage you to change your password.
marked this as an answer
Relevant Answer
Why wont it let me save new passwords on chrome? This pop-up is stupid!
marked this as an answer
Relevant Answer
The problem here is that Google is focusing on say... a single third party breach or maybe a handful of breaches and extrapolating that any other site sharing those credentials is therefore at risk. While this may be true technically, it's implausible that any would be thief is going to just guess which other websites the credentials work for.  Like if my PayPal credentials are exposed and my Wells Fargo credentials are not but are identical, nobody is just going to randomly try those credentials at Wells Fargo. That's like a 1 in a million shot, more actually, 1 in a billion probably.  This seems to be the whole focus of this password checker, and it's only causing false alarm. Google needs to be transparent here instead of intentionally hiding the details.  I shouldn't have had to stumble across the Google blog to get this information; it should be linked to the password checker main page.
marked this as an answer
Volunteer since 2011 (not a Google employee)
Relevant Answer
@Ryan Fehr -- That's not accurate, the data will be from a great number of breaches (unfortunately the number of data breaches is a lot higher than it should be.) It's not implausible that an attacker would do what you described as they can use a technique called credential stuffing. The attack simply automates the logins for thousands to millions of previously discovered credential pairs using standard web automation tools. For that reason, this is not a false alarm and Google would not have spent valuable engineering time on it if it had no value.
marked this as an answer
Relevant Answer
Calling this "engineering" is a stretch. Aside from the shear volume of potential websites that login credentials could be used for being beyond a reasonable processing time for such software, any respectable website worth accessing (like a bank's website) is going to employ [usually multiple] additional traditional authentication methods - be it pin numbers, one-time passwords, 2-factor authentication, captcha, image recognition, geolocation, device recognition, etc.  You can't simply bypass these and gain access with a simple username and password.  Even Google's own internal bulletin on this issue claims that it's exceedingly rare for attackers to actually be able to successfully gain access to user's websites.  The simple fact that these leaks are clearly not "new" and merely highlighted by this new Google code goes to show how unsuccessful attackers must be in utilizing the information they have access to.  There would be an epidemic of unauthorized access to all people's accounts worldwide...but there simply isn't. That's thanks to the individual security measures taken by these institutions.  So Google is simple fear mongering, probably just to convert more users to Chrome. If google truly cared or thought they were being helpful, they wouldn't go through great lengths to hide the details of their operation.  Im sure they do that, because otherwise users would realize how useless it is.
marked this as an answer
Relevant Answer
Time to switch from Chrome I think.
marked this as an answer
Relevant Answer
All of you who are saying you are leaving Chrome are misunderstanding what the notification is about and what it’s based on. Chrome is NOT the problem. Their security-based Password Checkup system is aware of websites that have been breached and they are telling you that you need to change your password because of that known breach. Additionally, if you have the same username and password saved for other websites, Chrome is telling you that those credentials are at risk because they are the same credentials have been compromised from the breached websites. This isn’t a Chrome beach that they are warming you about. You should be thanking them, not getting upset at them.
marked this as an answer
Relevant Answer
I'm getting this a lot. Is this legit?
marked this as an answer
Relevant Answer
@Rick Sievers 3760

what is your pipes leaking? websites have pop up ads. pop in ads, etc. right click that check passwords button an select copy link address. paste it in a text editor. The recommended action for website/app breaches is change your passwords. the link may redirect to a site that offers to change your passwd. It looks like a pop in to me. 

Chrome save passwds and auto fills the login form. It should be transmitted encrypted. The website should store passwds encrypted. (https)

If chrome has a compromised website listed in a database. Sure is will have a security advisory, and or block access to the site. 

!!always block 3rd party cookies!!
marked this as an answer
Relevant Answer
No pipes leaking here... I'm on that website for assisting others. I get  that P/W warning on almost all sites I click on.
marked this as an answer
Relevant Answer
My list of breached passwords is gone.  I haven't had the opportunity to fix them.  I want to see them again.  I've requested my data from Google (16GB) in hopes to get them but if there's any other way that Google can send me the list of my breached passwords so I can find out which ones I have to change I'd appreciate it.
marked this as an answer
Relevant Answer
This "name password combination" thing doesn't make sense.  How would Google get the "name password combination" from hacked websites to compare to your current login, and how would Chrome compare the two if passwords are hashed so even Google can't read them?  

I just got this while logging in to Choice Hotels website, then searched for a history of hacking at that website and sure enough, Choice Hotels was hacked back in April.  It would make sense for this warning to pop up at ALL websites like Equifax and British Airways which have a known history of being hacked just as a reminder.  If that's not the case, then Google knows too much.
marked this as an answer
Relevant Answer
If Google hashes passwords, maybe they just hashed the passwords combos found on hacked websites and just saw if they matched or not. They not need know what it actually says, rather that they are hashed the same way based on the plaintext
marked this as an answer
Relevant Answer
I don’t save passwords on my google account and still have this warning.
marked this as an answer
Relevant Answer
its not a breach or hack when google tracks your username and PW?
marked this as an answer
Relevant Answer
How do I turn it off? It pops up for EVERY webpage. I don't want to live in password paranoia forever. Thanks!
marked this as an answer
Relevant Answer
How Google could keep saying it's safe to store passwords in chrome while they just had a data breach?
how could they have a data breach of our data and not even spend the effort to public it and explain who, when, where and WHY and what are the strict mitigation actions they put in place?????

looks like no longer serious...
marked this as an answer
Relevant Answer
Just to let you know; it is not google which has had the data breach as I have seen one user question. Google is checking if the email/pass combination you just entered was compromised. It may have been compromised from any site you use. Entering the email address into the HaveIBeenPwned website will usually tell you where it was compromised from. 

This popup is not a scam (although it may eventually be exploited on untrustworthy websites) but is a good service offered by google. You would have probably never known you had a compromised email address and password combination if google did not tell you.
marked this as an answer
Relevant Answer
It's a fucking scam
marked this as an answer
Relevant Answer
Is there a Google documentation page that shows a screenshot of the official Chrome feature, so that we can help users understand this feature?
marked this as an answer
Relevant Answer
Too vague for me.  Google should should know and report the specific website or app that was breached.  The damage is localized to that one site or app, unless Google got hacked, and then you would see a big announcement like Facebook did.  I want to see something specifically from Google before I start to change my password.  Anyone have a link for this?
marked this as an answer
Relevant Answer
I'm having the same problem. Even after changing my passwords, with each new password strong and unique, I still have the same warning as before saying passwords compromised. It doesn't seem to update to remove the warning after you sort it.
marked this as an answer
Relevant Answer
I think it's a virus doing that because this doesn't happen on other devices this only on certain devices. Also in my opinion, it is spyware try to trick you into changing your password so it can get it I just ignored it. Also I chat with my IT professional and they said it is a phishing message trying to get your info so ignored it.
marked this as an answer
Relevant Answer
I received that message on Christmas day while on Costco's app. I ignored it. The next morning there were charges on my credit card for $453 to Costco, and I was locked out of my account. I called Costco, and they confirmed that my email address had been changed on my account. They gave me the name of the person who ordered stuff on my account and with my visa, and it was some woman in Georgia. I am not in Georgia. I had my Costco account and Visa both shut down. We changed passwords, ordered new credit cards, and opened a new Costco account.
Now today I logged into an MP3 account that I have and I got the same popup. It makes me nervous that I have been hacked again. However, this was the same username/password combo. I am changing it now.
marked this as an answer
Relevant Answer
I had this popup, but when I checked the password with through google chrome it came back clean. Why would I have a popup saying it is compromised yet when checking the password in settings it comes back ok? This does not inspire faith in this new feature.
marked this as an answer
Relevant Answer
In reply to David King's explanations:
THANKS, it is good to know, BUT STILL those explanations do not address the extremely misleading nature of the pop-up message.

The message is deeply misleading because it scares users into thinking that THEY PERSONALLY were compromised in some data breach, which is not necessarily the case at all.

Also, the pop-up does not let the user understand that only the username/password combination on that page is the problem.  Instead, it leads users to believe that any or all of their data may have been compromised - which is not what it is meant to communicate. Several people on this thread are commenting that they have already changed all their passwords because of this misleading message.
marked this as an answer
Relevant Answer
I got the same JavaScript warning,  It's confusing! How does that one site compromise all passwords unless google got hacked?
marked this as an answer
Relevant Answer
The reason is that - the backend server is exposing the password to console or it sending the password back as a response. This could be a actual data breach or maybe due to lack of website development which led to this condition of exposing password.
marked this as an answer
Relevant Answer
I think I've figured out why the message isn't going away after I've changed passwords. It seems that it's saving my new passwords as additional rather than overwriting the old ones. When I check in Google password manager they are all there both old and new. Often the new passwords are being saved without a username, so I am having to manually edit that afterwards.
marked this as an answer
Relevant Answer
I got the error ("A data breach on a site or app exposed your password ... blah blah").   I use a unique to me password for this site.   
I changed the password to a new unique password.  Logged in again.... got the same error message.  
Also checked google password manager.... I have NO saved passwords. 
Therefore I am not confident that the error message is meaningful.
marked this as an answer
Relevant Answer
I got this when using fake usernames and passwords on a local server and website on my computer.

The email address doesn't even exist and hasn't been used anywhere else on the web.

There is no way this is an accurate error message.
marked this as an answer
Volunteer since 2011 (not a Google employee)
Relevant Answer
@Aaron Harnly -- See here:
https://support.google.com/chrome/answer/95606 (section: Check or change your passwords)
 
@Mr. Sinbad -- As I mentioned above, the "damage" is not localised to the one website where your data was breached from. You need to change your password on all websites/apps where you have used that same username/email and password combination so where the breach came from only helps you so much.
 
@Tim Kovalcheck -- Most definitely not a virus. Read the official Google blog:
 
@Bill Bruns -- When you see the warning, your email/username and password combination has been compromised in the breach of a website/app. I would say that affects you personally. You can of course give your feedback to Google through the Chrome menu on the wording of the warning, but as I've mentioned in this thread, it does not matter on which website you see this new warning and it is not specific to the website where you see it. The new message is a warning about the username/email and password combination that you just entered, so you need to change it everywhere you use it.
 
@Sarah Wilkinson -- Thanks for sharing that, that may well be the case for quite a few others.
marked this as an answer
Relevant Answer
Thank you, David. To be clear, neither of those help articles show a screenshot of the message that users of desktop Chrome are seeing, and the messaging is a bit different. I expect the look and message to evolve as Google fine-tunes it, but it'd be reassuring to users if there were an official google.com page that could be referenced that showed what they're seeing.
marked this as an answer
Relevant Answer
I just going by what my IT professional said to do and he said not to listen to them on the Google fourms.
marked this as an answer
Volunteer since 2011 (not a Google employee)
Relevant Answer
@Aaron Harnly -- Is what your users are seeing different to what is shown in that official Google blogpost?
 
@Tim Kovalcheck -- Your choice at the end of the day, but I will say that they are wrong on this occassion. Product experts, like myself, are verified by Google and I am also an IT professional in my personal life.
marked this as an answer
Relevant Answer
@david.king
It's a goddamn phishing virus and Google isn't doing anything about it
marked this as an answer
Volunteer since 2011 (not a Google employee)
Relevant Answer
@your uncle pim -- Happy for you to share a screenshot of what you suspect is a "phishing virus". Not sure what else I can say to confirm it is genuine, even a quick Google search will show you multiple news outlets reporting on the new feature...
 
marked this as an answer
Relevant Answer
This is quit an annoyance for me. I am working with web apps in a development environment. There I am using dummy data and dummy users which have dummy passwords. To make things easy, the password is usually the same as the username in those development environments. Is there a way to turn this "feature" off for specific sites, e.g. localhost....?
marked this as an answer
Relevant Answer
Please turn this feature off on localhost, very annoying! Developers usually use unsafe passwords (eg. admin/admin) for local dev env.
marked this as an answer
Relevant Answer
Now, I can not even log into the sites mentioned by this issue. I can, however, login into the sites via Microsoft Edge. Via Edge, I change the passwords, but still, Chrome refuse to login into the sites. Even changing the password via Google Password Manager does not work. I get error messages such as the following when trying to log into sites: 

Sorry, something went wrong while logging in. Please try again.
EXPIRED Invalid request. Please try again.

Again, using Edge, everything works
marked this as an answer
Relevant Answer
@Ninjutsu Ryu   Stop using Edge.  Wash your hands before using Chrome again.  The only reason to ever open Edge is to download Chrome.  blech...  Tell me you didn't use edge to post that comment.  I feel dirty just thinking about it...
marked this as an answer
Relevant Answer
@ User 11385943630905635263 Well, Chrome does not work and I have to use something to gain access to the sites Chrome is now preventing me from accessing...
marked this as an answer
Relevant Answer
This is a mess.  User's of my site are getting this warning, but I know there was not breach.  I had an employee who screwed up trying to reset an E-mail password.  How do I turn this damn thing off?
marked this as an answer
Relevant Answer
changed password twice now and still getting it too. Wonder if clearing cache/browsing data may help.
marked this as an answer
Relevant Answer
I what the marked answer is correct then this is kind of a stupid feature that will only make people paranoid and worried (as we can see from some of the replies here). If google is going to roll out such a "feature" it should point out where data breach came from so that users will at least know where and how to deal directly with it from that source forward and not make everybody wonder around about where did they setup a specific password combination.

I am sure I am not alone when saying that we dont use the same passwords in all accounts we have, but same email could be used for multiple services therefore I believe that nobody would have some specific encrypted file you would know where you used a specific combination. again making this a worrisome feature as to go to all services that use that email an changing all passwords.

Just MHO.
marked this as an answer