We monitor databases of leaked combinations of emails and passwords that get published on the internet after data breaches. We do this to see if any of our users' login information might have been compromised.
The technology we use prevents us from seeing your passwords, and we update the compromised passwords immediately to improve your security.
We take the plain text passwords from these databases, hash them with the bcrypt hashing algorithm that we use for our accounts and compare it with the data of our users. If we find that one of our users has the same combination of email and password as in one of the leaked databases, we reset their password and ask them to choose a new password.
Because we only have the irreversible hash of the passwords stored on Kiwi.com, and we reset passwords as soon as we discover that they were compromised, we cannot see the login information in plain text.
This processing of Personal Data is done based on the legal ground of legitimate interest in the security of our users. If you want to exercise any of your rights under the GDPR, or if you have any more questions, please contact us via the channels described at www.kiwi.com/privacy.