Password Breach Email

I received an email, allegedly from Avast saying that my password was reset because it was found in a breach. However, there are two suspicious things about this:

  1. I can clearly login to post this message.
  2. I OAuth through Google, so there is no password to check.

Can someone confirm that this is a legit email from Avast?

=== Full Text of Email ===
Please update your Avast Account password

We’ve reset your password because the email and password you were using for your Avast Account were compromised in a leak on another service.

Don’t worry, your account is secure. This is just a security precaution to make sure it stays that way.

To update your password, just click here:

UPDATE MY PASSWORD

You should also change this password anywhere else you might be using it. Remember, it’s not safe to reuse passwords. 	 

How do you know my password leaked? 	 

When you signed in to your Avast Account, we compared your sign-in information against a database of leaked data managed by SpyCloud, a third-party cybersecurity company. This revealed that your password had been leaked. Your password was not shared with anyone during this check. 	 

Need any help? 	 

For help updating your password and other Avast Account questions, visit our Support Center.

Your Avast Team

1) I can clearly login to post this message. 2) I OAuth through Google, so there is no password to check.
  1. I don’t know if they would change it immediately. But your logon/account creation would be based on your email used.
    I have never liked this kind of check (Breach Guard), yes they can see your details used when creating an Avast account. But I don’t know how they can actually check passwords if they were encrypted.

  2. I don’t know if Avast could check your OAuth login through Google, unless it can be seen when it can be seen at that time.

Do you have Avast Breach Guard installed (I don’t use that) as this would be the likely reason to get an email like this ?

If so this could be a legitimate notification of or could well be a spoof, I certainly wouldn’t click any link in the email. I would hover the pointer over the link to see what the underlying URL was, did you do that ?

Me, I’m a trusting sort NOT, so I don’t trust anyone else to look after my security which is one reason I don’t use anything like this.

Yeah, I should have included that I moused over the links. They look reasonably sane and I wouldn’t have posted here if they looked like phishing.

The update link looks like https://click.emails.avast.com/?qs=

I don’t have breach guard installed, in fact, I don’t even have Avast installed anymore.

As for OAuth, if Google is doing it right, they should only get a session token from Google, being able to see the password would be a major bug.

I think I’m just going to delete the email.

It just seems strange to me, how they can possibly monitor passwords used if they aren’t plain text.

Yes there are ways to check as mentioned in the email:

When you signed in to your Avast Account, we compared your sign-in information against a database of leaked data managed by SpyCloud, a third-party cybersecurity company. This revealed that your password had been leaked. Your password was not shared with anyone during this check.

Now I don’t know how you signed in to your avast account (not sure it could be created using OAuth login through Google) or what you entered that could possibly be checked against this database.

But if it was by OAuth login through Google, that would surely be a unique entry (session token from Google), which presumably wouldn’t be reused, so in theory wouldn’t be used again in some other instance.

Certainly strange.