Why do I see “This password is in public lists of passwords leaked from other sites” warning?

Your password is the first line of defense against cyberattacks and unauthorized access to your account. Nowadays, the enforcement of strong password requirements is a standard practice all over the internet. But remembering long unique credentials for each online service or web application can be difficult, and subsequently, Password Reuse (using the same password across different services) has become quite common. 

The Reuse of passwords led to the rise of Credential Stuffing attacks. Credential stuffing is a type of cyberattack where account credentials, stolen from one service, are used to gain unauthorized access to user accounts in other services with reused passwords.
Regardless of how strong your password is, a single breach can compromise its security on all accounts.

In order to protect our users from this type of attack, we implemented a security check based on HIBP integration that allows us to validate whether a password can be found in publicly available sets of breach data. By following this link, you can check for yourself if a password was previously exposed in any data breaches from other resources.

Do not worry - we do not share your data with any third-party services. Your password is protected by the password hashing function, which is a one-way transformation of the password commonly used to store passwords securely. We do not keep passwords in plain text, and we only verify if a password is compromised when you provide it to us. 

The “This password is in public lists of passwords leaked from other sites” warning during the login, registration, or updating your password, indicates that a password you are using was leaked from other resources. 

You cannot set a compromised password as your new password during registration or password update. However, if you see this warning after logging in, it means that your current password is compromised. To protect your account, you will be prompted to create a different password. Unless your password is changed, it will automatically reset during your next login if more than ten days passed since the warning first appeared. You will need to pick a new password using the link sent to the email address associated with your Semrush account.

Please note, the password leak may have no relation to any of your accounts. For example, if your password is "123456789" and someone else used the exact same password anywhere on the internet, it could be that it was their account that was compromised in a breach. But you still will get a warning message because your current password matched with the one that is publicly available in known database leaks.
In any case, this warning indicates that your password is not reliable, and it is better to create a new stronger password.

Your new password should contain:

• More than 8 characters;
• Both lowercase and uppercase letters;
• At least one numeric character.

We strongly recommend creating a unique password that will not be used for other services, as a breach of any other service can put your Semrush account at risk of being compromised. You can use a password manager to store, manage and generate  unique reliable passwords, so you will only ever need to remember your password manager credentials.

If you have more questions or concerns, please don’t hesitate to reach out to our Support team.