Understanding compromised passwords and how we keep Mercury accounts secure

At Mercury, your account’s security is our highest priority. To help protect your account, we check your password against a known database of compromised passwords with the help of Have I Been Pwned (HIBP), a trusted and widely used resource that maintains a record of passwords exposed in data breaches.

Below, we explain what to do if your password is flagged, and how we detect compromised passwords.

What is a compromised password? 

A password is considered "compromised" if it has been exposed in a data breach. A data breach occurs when an attacker gets access to a company’s database, which might contain email addresses, passwords, and other sensitive information. Using a compromised password on any site that doesn’t have two-factor authentication (2FA) could make it easier for attackers to access your account — it is important to change your password on any service where you’ve used it.

Note: Mercury requires two-factor 2FA for all accounts, so your password alone can not be used to access your account. Read more about how we protect accounts via 2FA here

Recommendations if your password was found in a breach

If you've received a "Security Recommendation" message upon logging in to your Mercury account, it means your password was found in a list of compromised passwords from a data breach at another service, not Mercury. To protect and strengthen the security of your account, we strongly recommend updating your Mercury password and any other accounts where you've used the same password. 

Keeping your accounts safe online can seem daunting, but following these recommendations can reduce the risk of unauthorized access: 

  • Use a unique password for every site you use. Reusing passwords across multiple sites increases your vulnerability if one of those sites experiences a data breach.
  • Consider a password manager. Password managers help you securely generate and store strong, unique passwords for each of your accounts. With a password manager, you only need to remember one password—the one to access the manager itself.
  • Enable 2FA on all sites that support it. 2FA makes it so that even if someone knows your password, they aren’t able to  access your account.
     

How we use HIBP to detect compromised passwords

Mercury uses the Have I Been Pwned (HIBP)  service to check if your password has appeared in any known data breach. This check is done securely—your password is never sent to HIBP.

When a company discloses a data breach, HIBP updates its records to include the affected passwords. This means HIBP’s records are always up-to-date with all known data breaches. 

If we detect that your password appeared in the HIBP database, we’ll display a message notifying you of this on your next login. You will also have the option to update your password directly from the notification so you can secure your account with a new password right away.

How to use HIBP to check your breach history

If you’d like to know which services might have exposed your password or other data, HIBP lets you check if your email address has been found in a data breach. Here’s how:

  1. Visit the HIBP website.
  2. Enter your email address in the search bar and click pwned?.
  3. HIBP will show a list of known breaches that are linked to your email.

Did you find this article helpful?