TLDR: Password leaks are just the tip of the iceberg for account fraud. reCAPTCHA offers a complete solution to help users defend against account fraud, including a new Password Leak Detection container app that makes it easier than ever to identify compromised credentials.

Did you know that nearly half of all Americans have had their passwords stolen in the past year? It's a scary statistic, and it means that your users are more vulnerable than ever to account takeover and fraud.

Since 2022, with the release of Account Defender, reCAPTCHA has been used to actively protect sites against password leaks, specifically finding leaked username and password pairs. With this latest iteration, we make password leak detection even more powerful, while also making it simpler. Interested in knowing more? Read on … 

Introducing the Password Leak Detection Container App

While Password Leak Detection (PLD) has been a powerful feature of reCAPTCHA for over two years, we recognized that configuring the feature required a good understanding of website coding practices, security and cryptographic libraries. The most savvy site users across the 7M+ active sites who use reCAPTCHA saw the value, and immediately started using PLD, leading to billions of credential checks per year.  However, if our goal was to protect the entire internet, we needed an easier to implement approach to leverage PLD, and offer better protection to website users. This is what we are hoping to change with the release of the container app.

The Password Leak Detection container app, is designed to give you a simple way to integrate reCAPTCHA's powerful password leak detection into your website or app. Early indications have shown that using the container app can shorten the PLD integration timeline from multiple days to a matter of hours by using the integrated libraries, making it possible for every site admin to implement and immediately protect their user base.

Why Password Leaks Matter

Think about it: if a user's password is leaked in a data breach on another site, and they reuse that same password on your platform, they're at risk. With the Password Leak Detection container app, you can:

• Detect compromised credentials instantly.
• Prompt users to change their password.
• Prevent account takeovers before they happen.

Account fraud beyond bot-based attacks

Password leaks are just one piece of the puzzle when it comes to account security. Account fraud is a complex issue that goes beyond simple bot attacks. We're talking about things like account hijacking, credential stuffing, payment fraud, and SMS toll fraud to name a few. These attacks could be bots… or they could be malicious humans. These attacks exist across every step of the the login flow, as seen in the diagram below:

The Need for Holistic Fraud Protection

The evolution beyond simple bot attacks requires protection that analyzes the entire customer journey for fraud signals, with robust detection at each stage and the ability to connect the dots across multiple interactions. Backed by Google's massive scale and unparalleled insights into fraudulent users, reCAPTCHA offers a comprehensive suite of fraud prevention capabilities that span the entire customer journey.

reCAPTCHA: Redefining Fraud Prevention

• Account defender: Safeguards against account takeover attacks by monitoring user actions throughout their journey using their hashed account ID, preventing unauthorized access and mitigating financial and reputational damage.
• Password leak detection: Detects credentials that have been compromised in data breaches across the web, empowering you to take proactive steps to protect compromised accounts.
• Multi-factor authentication: Adds an extra layer of verification to the login flow through a one time passcode, to ensure that the correct user is granted account access.
• SMS toll fraud protection: Prevents SMS pumping fraud in login and 2FA flows, by using the SMS phone number, along with reCAPTCHA signals to detect SMS pumping, safeguarding you from financial losses.
• Related accounts detection: Detects patterns and connections between fraudulent accounts through hashed account IDs, enabling businesses to shut down entire networks of bad actors simultaneously.

What next?

Convinced that this feature is meaningful for your websites? Configuring it is an easy 3-step process:

1. Setup the PLD container, to receive your website request parameters and present a response
2. Send the userID and password to this local container app - which will cryptographically secure the parameters, and query reCAPTCHA to see if those passwords were stolen
3. Receive the result of the evaluation within your app - to identify next steps (i.e password is good and its business as usual, or reCAPTCHA scores the credentials  as stolen - in which case the website can trigger a password reset flow, or a step-up flow, based on what makes sense for your business)

Ready to take your account security to the next level?

• Existing reCAPTCHA users: Log into your reCAPTCHA console and enable account protection features in your settings.
• New to reCAPTCHA: Click here to learn more about reCAPTCHA account protections.
• Password Leak Detection Container app: Click here to learn more about the integration process.