Researchers at Carnegie Mellon University’s Institute of Security and Privacy found that only a small number of users change passwords after accounts are compromised. This result is not based on survey data but is true user browser traffic. The study used user data collected by the Security Journal SBER (SBO) project at Carnegie Mellon University, where users voluntarily chose to share complete browser traffic for academic purposes.
The data was collected between January 2017 and December 2018, and in addition to web traffic, there is a password to log on to the website and a password stored in the browser.
During the data collection period, 63 of the 249 users had account compromises, while only 21 of the 63 users visited the site where the account was compromised to change their passwords, and 15 of the 21 users were modified within 3 months of the account breach.