After a breach, users rarely change their passwords, study finds
Only around a third of users usually change their passwords following a data breach announcement, according to a recent study published by academics from the Carnegie Mellon University's Security and Privacy Institute (CyLab).
The study, presented earlier this month at the IEEE 2020 Workshop on Technology and Consumer Protection, was not based on survey data, but on actual browser traffic.
Academics analyzed real-world web traffic collected with the help of the university's Security Behavior Observatory (SBO), an opt-in research group where users sign up and share their full browser history for the sole purpose of academic research. The research team's dataset included information collected from the home computers of 249 participants. The data was collected between January 2017 and December 2018 and included not only web traffic, passwords used to log into websites and stored inside the browser.