Published on: 1 October 2020
F5’s Leaked Credential Check service (the “Service”) helps customers who use BIG-IP recognize when an attempt to login to their online property has been made with a username/password pair that matches one that was stolen from an unrelated third-party property. The customer can decide how to act on this information, such as by requiring the purported user to reset their password, or requiring additional authentication from the purported user before completing a high-risk action like a gift card purchase or funds transfer. This Privacy Statement applies to the data that the Service uses.
Under the data protection laws of the EU and similar jurisdictions, F5 is a processor of the query data that the Service receives from F5’s customer, and the customer is (or acts on behalf of) a controller of such data, to the extent it contains personal data.
The Service is powered by a proprietary corpus of hashed username/password pairs known to be compromised. To the extent this corpus constitutes personal data, F5 is its controller. The information in this corpus is sourced primarily from (i) lists of stolen username/password pairs seen on the dark web and (ii) contributions from customers or security researchers that authorize F5 to use username/password hashes for the collective defense.
The Service will receive, as a query, hashes derived from a username and password. The Service will then take a customer-specified action based on whether the username/password pair is known to be compromised (i.e., whether the username/password pair is reflected in the corpus of leaked credentials that powers the Service). This action could include blocking the login attempt or forwarding the user to a page where the customer takes some other action, such as requiring a password reset or additional authentication.
If you believe that the Service has improperly blocked or restricted your access to an F5 customer’s online property, please contact that customer to request restoration of your access.
To exercise your rights with respect to the query data that F5 processes when providing the Service to a customer, please contact that customer. To exercise your rights with respect to other data, you may contact F5. For more information about F5’s privacy practices, please see the F5 Privacy Notice.