Security Monitoring Sites Report a Breach from Avast's Login Page

My credit and security monitoring services (Experion, TurboTax/ID Notify) are reporting that my email has shown up on the “Dark Web” and that the breach was specific to the Avast login page. The notices coincide with my going to the site to try and make sure my av license was updated.

https://id.avast.com/sso

This URL redirects to:
https://account.avast.com/#/

What’s up with that?

This could be related to a breach that happened many years ago.
I’ve not had any recent notifications and use the same monitoring service.

Did Experian give any further details?

Because it was coincident with my logging into the Avast site, I really doubt that a prior breach was the issue unless the site is compromised and capturing logins via some nefarious means installed on their server and allowing the data to be posted on the Dark Web.

Reported to Avast let’s see what they have to say.

Hello Martin252,

Thank you for bringing this to our attention. We’d like to investigate the matter further, but we will require more information from you. Could you please get in touch with our support team using this link: https://support.avast.com/en-us/contact/paid_pc_avast-premium-security#pc

Please include the information you mentioned in this forum thread, and our support team will get back to you as soon as possible.

Thank you for taking the time to let us know about this issue.

Best regards,
Ognjen

Thanks, Ognjen!

I’ll make sure to report back here what was found.

This is something everyone should be kept informed about. Thanks

I provided the requested detail on December 16th and am waiting for a response.

Still no response.

Amazing and disappointing.

Hi Martin. Please accept our apology for the delay; I realize it’s been a while since you last wrote to us. Our team needed some time to analyze the information you sent.

I checked our records, and I see that my colleague replied to you yesterday. Could you please check your inbox?

Thank you for your patience and understanding.

Yes. I got a reply that makes very little sense.

Hello Martin,

I hope you’re doing well.

My name is Miroslav, and I am writing to you on behalf of Avast’s senior support team.
I realize there’s been a delay in response to your query, and I’d like to apologize for that and would like to address your issue now.

We would like to respectfully clarify that our Hack Check Tool was not the root cause of your information being exposed and shared on the Dark Web.

Thank you for providing the screenshots of two notices from monitoring companies. Our systems are secure and operational. Strong encryption is part of our multi-layer protection. When we learned of this matter, we acted immediately to protect our environment and investigate the potential impact. We immediately investigated the scope of the issue and notified the relevant data protection regulators and those whose data may have been impacted.

If you suspect that any of your personal information may have been compromised and leaked on the Dark Web recently, it is important to take necessary precautions to protect your account. While it is possible that the source of the leak may not be Avast, we still recommend that you change your password for your Avast Account as a precautionary measure. Thank you for your attention to this matter.

Additionally, we would like to offer you a free 6-month subscription to Avast BreachGuard. This service can help monitor for your personal information on the dark web.

Please let us know your thoughts on this matter.

Miroslav
Avast Customer Care Team

Are your systems secure? Or was there an incident? It sounds like the latter.
There’s only one way my info showed-up on the dark web right after logging into your site. Your site was compromised.
If there was never any problem, why am I being offered dark web monitoring, at your expense?
All I was doing with this post is letting you know you got hacked. Your deflection and denial is falling on deaf ears.

I do find it interesting how nothing happens until this post comes back to the top of the list because I update the status showing there is no change in status on your investigation.

Piriform acknowledged an incident in 2023
CCleaner said it was impacted by the MOVEit Transfer bug.
I believe that Avast also used this service and may very well be subject to the same bug.
See the following article for more information on the Piriform incident:
https://cybernews.com/news/ccleaner-confirms-data-breach/
A clarification by or from Avast would be appreciated. Thanks

I received another response from Customer Support that shows they’re monitoring this thread but, which makes no sense:

Hello Martin,

I sincerely apologize for the delayed response.
We’ve checked it carefully, we do not track your email address leaked as a result of MOVEit. Also, we are not aware of any breach related to id.avast.com.

It appears that the reason for the warning message you received is due to a coincidence of your leaked email address and the same email address being used on ID Avast. However, the breach has occurred from another source. One possibility is that you may have an extension in your browser that detected the login. We recommend changing the password on ID Avast as a precautionary measure to ensure your account’s safety.

If you run into any trouble along the way or have any questions, feel free to message me at any time.

Miroslav
Avast Customer Care Team

The Avast login page URL was clearly included in the details reported by both Dark Web monitoring services.
They reported this almost immediately after I logged in to Avast and are not reporting any other incidences of my information being leaked.

It actually makes a lot of sense. If you use the same email address as many of us do and it is hacked or harvested by the dark side than all sites that use that email address are in danger and the password should be changed for all the sites that use that email address. The breach only happened on one site and Avast has stated it wasn’t related to id.avast.com. Hope that helps.

It does nothing to explain why it’s just id.avast.com or why it occurred in tandem with a login to the site.