Leaked Credential Detection

When you sign in with a password that has appeared in a known data breach at another service, Forbidden Finance surfaces a one-time email and an in-app banner. We never block your access; we recommend rotation.

Overview

When you sign in to Forbidden Finance, our network provider (Cloudflare) compares the password you submitted against publicly known credential-breach corpora. If the password has previously appeared in a data breach at another service, Cloudflare adds a flag to the request before it reaches our servers. We use that flag to:

Surface a banner on your dashboard recommending a password change
Send a single rotation-recommendation email to your account address

Your access is never blocked. This is informational only.

What you'll see

Email

The subject line is "A password you used has appeared in a breach — Forbidden Finance", sent from [email protected]. The body explains that your account has not been compromised — multi-factor authentication is exactly why a leaked password alone cannot get into your data here — and asks you to consider rotating because of the cross-service credential-reuse risk.

You will only ever receive one of these emails per detection cycle. If you do not change your password after dismissing the in-app banner, we do not email you again about the same signal; the banner is the only follow-up surface.

A red shield card appears at the top of your dashboard with the headline Security tip and a Change button that opens the password-change sheet. You can dismiss the banner with the × icon; this hides it for now, but does not change anything else about your account.

Final reminder (30 days)

If you dismiss the banner and do not change your password within 30 days of the first detection, the banner re-appears on your next dashboard load with the headline Final reminder and stronger copy framed around credential reuse and the risk to financial accounts. There is no second email — the banner is the only re-surface.

The risk is not the Forbidden Finance side. Your account is protected by:

Multi-factor authentication (passkeys, TOTP, or hardware key) — this is why a leaked password alone cannot sign in
Session anomaly detection — new-device logins are flagged and emailed to you separately
Self-hosted authentication — your credentials never pass through a third-party identity provider

The risk is the other services where you might have used the same password. Once a credential pair appears in a public breach corpus, automated attackers run that pair against every major service. Financial accounts sit at the top of that list. Using a unique password at Forbidden Finance breaks the chain.

The banner clears automatically when you change your Forbidden Finance password.

Open Settings

Tap Settings at the bottom of the app (or in the sidebar on web).

Open the security section

Tap Profile & Security.

Change password

Tap Change password, enter your current password, choose a new one. We recommend a password unique to Forbidden Finance — a password manager makes this painless.

If Cloudflare detects your new password in a breach corpus on a later login (this can happen if you rotate to another already-leaked password), the signal will re-open and a fresh email + banner will fire. The check at login is repeated each time.

What we record

When Cloudflare flags a login, we record a single row per user that stores only:

The timestamp of the first detection
The timestamp of the most recent detection
A running count of detections
An opaque indicator of what Cloudflare matched (used internally for triage only)
The current resolution state (notified, dismissed, or resolved by password change)

We never store the matched password or the corpus it came from. Full details are in the Privacy Policy §1.6 and §1.5.

Frequently Asked Questions

Does this mean my Forbidden Finance account was hacked?

No. We detect the password match at the network edge before the login completes. Your account is intact and protected by multi-factor authentication. The recommendation to rotate is precautionary — to protect other accounts where you might be using the same password.

Can I turn this off?

No. Leaked-credential detection is a security control that protects all users; it cannot be disabled per-account. It only ever recommends; it never blocks.

Why doesn't Cloudflare send the full password to you?

Cloudflare performs the corpus match at its own edge using its own data. We receive only a flag indicating that a match occurred — never the password itself or the corpus entry. Plaintext credentials are not transmitted to us beyond the standard authenticated login flow.

Forward the email to [email protected]. A login attempt reached our authentication endpoint with a credential that matched a breach corpus — if it wasn't you, someone is testing your credentials. We will help you secure the account.