Service NSW will run a new background check when a user logs into their MyServiceNSW account from today that verifies whether the credentials have been exposed via a third-party data breach or leak.
The agency emailed customers on Wednesday afternoon to notify them of “new security features” being applied to accounts.
“When you log in to your MyServiceNSW Account, we will immediately check the dark web for leaked email address and password combinations, alert you if we find the email address and password you just used, [and] strongly suggest you change your password,” it stated.
Users will also be “encouraged” to run multi-factor authentication on the account, if they haven’t enabled it already.
Service NSW said that the credential check will run automatically and that it would not disclose the credentials “to anyone” as part of the process.
Users will be prompted to change their password both via the app and via email, with a FAQ page stating that “you cannot opt out of this service.”
The agency declined to identify the technology or service it is using to run the checks.
In a statement, it said it’s “working closely with trusted global technology and security vendors”.
Earlier this month, Service NSW unveiled what it called a ‘password strength tester’, where anyone can type in a password and receive advice on how difficult it would be to guess or crack.
At the same time, the tester also runs a check on the password via “Troy Hunt’s Pwned Passwords API”, according to the website fine print.
It’s not clear if the security check applied to MyServiceNSW logins uses the same architecture, but just applies it on a mandatory rather than voluntary basis.
iTnews was unable to source specific details of the architecture by the time of publication.
The agency will be running some 2.7 million security checks on credentials a month, based on its usage figures.
In a statement supplied to iTnews, minister for customer service and digital government Jihad Dib said that “a lot of people use the same password for multiple online accounts, exposing them to a data breach or leaks.”
“The new cyber tools offered by Service NSW provide an additional layer of security and peace of mind for people in NSW,” he said.
Service NSW’s documentation made clear that it was not responsible for the leaking of credential combinations; it just wanted to prevent stolen credentials from other incidents being used to authenticate to the state government’s digital service delivery portal.