27 comments

[ 4.3 ms ] story [ 70.2 ms ] thread
(comment deleted)
Another one for the graveyard!
Why was it opened? Is it that dark web where asassination markets and similar stuff happens?
> While the report offered general information, feedback showed that it didn't provide helpful next steps.

Translation: We don’t actually want to keep spending time, money, and resources on this.

That's not how it reads to me. I think it's more that they feel they can't share enough information to make it useful without compromising their operating methods. Which is an eternal struggle with stuff like that: the bad guys are reading too.
No, not really. The way this worked is that if they detected personal information on a "dark web" (per their definition -- I have no idea what this actually meant) site, they would show you a report that told you which PII was listed, and it was usually things like your fname/lname, address, phone or location. The problem is that it wasn't actionable [because it was the dark web], unlike their current personal data privacy features and data removal tool.

This is one where I don't blame them for killing it because "it" wasn't really even a product -- it was just a very basic, not useful at all, report.

I found the info not actionable because it wouldn’t say what actual values were posted.

I have a common name Gmail account. The password is rather complex and I would be surprised if it leaks as only I and Google know it. However, I would get reports that it’s on the dark web with blanked out password values. So I never knew if they actually compromised or just something else.

They would also report when some random site that used my Gmail address as user id was on the darknet that I don’t care about. I don’t care if my fidofido account is leaked. I never use it and if I did, then I would reset.

I think if the data were useful Google would have kept this up.

I bet they keep tracking though, just keep the reports internal.

I never got the Google dark web reports, but my credit card used to send me reports constantly saying that my email address was 'found on the darkweb.' Okay, that's not useful information. If it showed me if there were associated passwords, that might be helpful, but just saying my address was found on the darkweb is meaningless. My email address is public information.

The worst part is, it was an email address I hadn't used in about 10 years, and they wouldn't let me take it out of the report.

Yeah.. I have a five letter email that's a common first and last name @ gmail.com. I second everything you said. Getting report hits every few days are useless given how few sites do any kind of validation. :-/
> I found (it) not actionable

Tangental, but I found 'Have I Been Pwned' useless too because you can't enter your email and find leaked passwords associated with the address, instead you have to enter each password (and repeat for every password you want to check).

I know there's an explanation that the raw password is not being sent and instead being hashed locally and only part of the hash is sent. But I don't know how to verify that and it feels wild to type passwords into a random website. (if anyone knows how to verify HIBP does only what it says it does [rather than blindly trust and hope for the best], would love to read more about it)

Bitwarden's web vaults has a reports feature which allows you to check this in bulk.
> (if anyone knows how to verify HIBP does only what it says it does [rather than blindly trust and hope for the best], would love to read more about it)

I recall HIBP documents their hashing protocol so that it should be possible to have a non-web client you can trust more.

https://haveibeenpwned.com/API/v3#PwnedPasswords

I set it up for an old Google account that has been breached. It did a relatively good job, but HIBP has more data in my experience, albeit it mainly looks at emails, whereas Google's report can do lookups by full name, address, and phone number. I think it was useful, but did not get enough love to be like a second HIBP.
did anyone ever get a report? i never got anything at all...
While this was a free service and thus Google is under no obligation to continue offering this service, this is still quite sad. They could have atleast bundled it for some tier of Google One paid subscription.
Can one of the good souls at google please donate the data to archive.org?
Is there a product that will do go through the vast expanse of accounts you have and either delete them or mass-change their passwords? I basically I wish to shrink my online presence as much as possible, but doing it manually would mean finding all the various accounts I have, logging in, trying to close, etc. Seems like good fit for an LLM browser agent.
dark web reports in general, seem to be a funnel for paid "security" and monitoring services, VPNs AV suites, typically you review your passwords for strength and redundancy, then you are redirected to buy some service, that ultimately looks like a data hoover, and put everything in a cloud scheme. now we have AI and FOMO to hook and reel in, seemingly more effective than darkweb boogeymen for adoption and revenue.
I might be misremembering this but FWICR on Chrome it would link your saved passwords with the dark web report, and automatically recommend you change any account that had the same password as the "pwned" account found in the dark net. Was pretty useful.
Discover (Card/Bank) also announced recently that they are stopping their dark web report service. I wonder if they just used Google, or if it's a coincidence...
The email about this went to my spam folder on Gmail. Ok, come on Google.
Google discontinuing this is unfortunate timing given the recent breach surge (700Credit, SoundCloud, LinkedIn leak).

Alternatives: haveibeenpwned.com (free), 1Password Watchtower, Bitwarden breach reports.

The harder part isn't knowing about breaches—it's actually rotating passwords afterward. Most people know they should but don't because it's tedious.

Automated rotation tools are emerging but need careful security architecture (local-only, zero-knowledge) to avoid creating new attack vectors.

The reason their data got leaked was because they were using Google services. The only actionable thing people could do was delete their Google accounts. This move is to hide the inherent security holes in using their products.