Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: sshg123
sshg123 Author
User level: Level 1
11 points

What is PasswordBreachAgent and why is it running in the background on my Mac?

Hi Guys,


I just did a clean install of Big Sur on my MacBook Pro 15 Late 2013. When I opened activity monitor, I found a process called PasswordBreachAgent running. Anyone know what this is? It is stored at /Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/PasswordBreachAgent


Any info would be helpful. It's a very ominous name for a process - but as it stands the only software I have installed so far from a more obscure developer is a ad blocking app from the App Store called Wipr. Other than this, this is a clean fresh machine.


It's really strange that there are almost ZERO google results on this. I would think that the name of the process would get more people a little concerned.


Any input would help. Thanks.

MacBook Pro 15″, macOS 11.0

Posted on Nov 15, 2020 8:21 AM

Reply
Question marked as Top-ranking reply
User profile for user: etresoft
etresoft
User level: Level 9
53,118 points

Posted on Nov 15, 2020 8:37 AM

sshg123 wrote:

It's really strange that there are almost ZERO google results on this. I would think that the name of the process would get more people a little concerned.

I've heard a rumour that Apple is working on its own search engine. I think that would be a welcome development. Google has become a source of conspiracies and fake news. I'm not surprised you wouldn't find anything about this on Google.


However, if you just check your Mac using the "man" command, it explains exactly what this app does:



And for the record, this works via hashes. Your passwords are not sent anywhere. There are websites that will do this (such as https://haveibeenpwned.com) but they are little more than ads for 3rd party security software that duplicates functionality that is built into macOS. And if Apple is doing this check, you can be certain it will be safer than entering your password on some random internet site.

View in context

Similar questions

5 replies
Sort By: 
Question marked as Top-ranking reply
User profile for user: etresoft
etresoft
User level: Level 9
53,118 points

Nov 15, 2020 8:37 AM in response to sshg123

sshg123 wrote:

It's really strange that there are almost ZERO google results on this. I would think that the name of the process would get more people a little concerned.

I've heard a rumour that Apple is working on its own search engine. I think that would be a welcome development. Google has become a source of conspiracies and fake news. I'm not surprised you wouldn't find anything about this on Google.


However, if you just check your Mac using the "man" command, it explains exactly what this app does:



And for the record, this works via hashes. Your passwords are not sent anywhere. There are websites that will do this (such as https://haveibeenpwned.com) but they are little more than ads for 3rd party security software that duplicates functionality that is built into macOS. And if Apple is doing this check, you can be certain it will be safer than entering your password on some random internet site.

Reply
User profile for user: Tim Lorenzen
Tim Lorenzen
User level: Level 4
2,309 points

Nov 15, 2020 8:35 AM in response to leroydouglas

My best guess is that this process is probably checking the passwords in your keychain for whether they're known to have been breached (by submitting hashes of them to an online service like "Have I been pwned?" and comparing to hashes of known breached passwords). This is also mentioned as a new feature here in the Safari section:

https://www.apple.com/macos/big-sur/features/

Reply
User profile for user: leroydouglas
leroydouglas
Community+ 2025
User level: Level 10
191,646 points

Nov 15, 2020 8:27 AM in response to sshg123

sshg123 wrote:

Hi Guys,

I just did a clean install of Big Sur on my MacBook Pro 15 Late 2013. When I opened activity monitor, I found a process called PasswordBreachAgent running. Anyone know what this is? It is stored at /Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/PasswordBreachAgent

Any info would be helpful. It's a very ominous name for a process - but as it stands the only software I have installed so far from a more obscure developer is a ad blocking app from the App Store called Wipr. Other than this, this is a clean fresh machine.

It's really strange that there are almost ZERO google results on this. I would think that the name of the process would get more people a little concerned.

Any input would help. Thanks.



If you are not having any problems I see this as a non-issue.


It is a legitimate process as you document, from the Finder>Go>Go To Folder:

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/PasswordBreachAgent



ref: macOS - Security - Apple https://www.apple.com/macos/security/

ref: Apple Platform Security - Apple https://support.apple.com/guide/security/welcome/web




About the read-only system volume in macOS Catalina /Big Sur- Apple ...


Reply
User profile for user: Germanotta
Germanotta
User level: Level 1
11 points

Dec 18, 2020 7:07 AM in response to sshg123

I have also found this process on two installations, one clean, one not. The process itself doesn't seem contain much, mostly references to Apple root certificates. It's probably a new feature of Safari to advise the user in case of weak or leaked passwords or something like that. Anyway, a malicious process would disguise itself with a much better name than PasswordBreachAgent


PS

Didn't see the posts above, it all makes sense now

Reply

What is PasswordBreachAgent and why is it running in the background on my Mac?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up