#ID Monitoring Suggestion
Hello,
I would like to provide feedback on the ID Monitoring feature, specifically regarding so-called combolist alerts.
I receive a notification stating that my email address and an associated password appear in leaked data. However, the notification does not include any information about:
- which service the password is associated with,
- when the leak occurred,
- whether the password is still in use,
- or any identifiable partial fingerprint (e.g. a password fragment) that would allow me to locate the affected credential myself.
I use a password manager and unique, randomly generated passwords for each service. In this usage model, the current alert is not operationally actionable:
- I cannot determine which account requires remediation.
- Changing passwords for all accounts is neither realistic nor proportionate.
- The alert does not allow any meaningful risk assessment (e.g. old vs. active data).
As a result, the notification is purely informational and primarily creates uncertainty, without enabling concrete risk mitigation.
Previously, the service exposed more identifying information (such as partial passwords), which made the alerts genuinely actionable. I understand the security and regulatory considerations, but in its current form, combolist alerts do not effectively serve users who already practice good password hygiene.
My suggestions:
- either provide some form of local identification mechanism (e.g. hash or fragment matching against the password vault),
- or clearly state in the alert that this is a general observation with no directly targetable remediation,
- or classify such findings as low-priority informational notices rather than critical alerts.
As implemented today, this alert model is more suitable for users who reuse passwords, but not for users who already follow established security best practices.
Kind regards,