Researchers at Carnegie Mellon University countedthat only a third of users change their passwords after data has been compromised. Interestingly, this report, presented as part of the IEEE 2020 Workshop on Technology and Consumer Protection, is based not on survey data, but on actual browser traffic.
Experts studied real traffic collected through university Security Behavior Observatory, a research group into which users voluntarily join and share the full browser history for academic research. So, the data for this analysis was collected from home computers of 249 experiment participants for the period from January 2017 to December 2018. The information included not only web traffic, but also passwords stored in the browser.
As it turned out, out of 249 users, only 63 had accounts on various hacked domains (only those companies that publicly announced hacking and data leakage were taken into account).
Of these 63 users, only 21 people (33%) visited hacked sites to change the password, and of these 21 only 15 users changed their passwords within three months after the announcement of compromise.
In total, 23 passwords were changed on the above domains. So, among the experiment participants who changed their passwords, there were only 18 Yahoo! users; 31 more Yahoo! users (out of 49 in total) did not change their passwords, although everyone suffered from a data leak. 2 more users changed their passwords from Yahoo! twice, once after each report of compromise. 2 users changed their passwords on the hacked domain within one month after the announcement of the hack, 5 people changed their passwords after two months and 8 people after three months.
Since, among other things, the researchers collected data on the passwords of the participants in the experiment, the team was able to analyze the complexity of their new passwords. Among users who changed passwords (21 people in total), only a third (9 people) changed them to more reliable ones. The remaining members of the control group came up with weaker passwords or passwords of a similar strength. Usually, new passwords were created either by reusing sequences of characters from the previous password, or people simply changed the password to another one, but already used for other accounts and also stored in the browser.
Researchers argue that most of the blame for what is happening lies with the hacked services themselves, since they "almost never explain to people that they still need to reset similar and identical passwords for other accounts."