A new Google study this week confirmed the obvious: internet users need to stop using the same password for multiple websites unless they’re keen on having their data hijacked, their identity stolen, or worse.

It seems like not a day goes by without a major company being hacked or leaving user email addresses and passwords exposed to the public internet. These login credentials are then routinely used by hackers to hijack your accounts, a threat that’s largely mitigated by using a password manager and unique password for each site you visit.

Sites like "have I been pwned?" can help users track if their data has been exposed, and whether they need to worry about their credentials bouncing around the dark web. But it’s still a confusing process for many users unsure of which passwords need updating.

To that end, last February Google unveiled a new experimental Password Checkup extension for Chrome. The extension warns you any time you log into a website using one of over 4 billion publicly-accessible usernames and passwords that have been previously exposed by a major hack or breach, and prompts you to change your password when necessary.

The extension was built in concert with cryptography experts at Stanford University to ensure that Google never learns your usernames or passwords, the company says in an explainer.

Anonymous telemetry data culled from the extension has provided Google with some interesting information on how widespread the practice of account hijacking and non-unique passwords really is. The company’s full study, available here, is being presented this week as part of the USENIX Security Symposium in Santa Clara, California.

“Since our launch, over 650,000 people have participated in our early experiment,” Google told Motherboard in a statement. “In the first month alone, we scanned 21 million usernames and passwords and flagged over 316,000 as unsafe—1.5% of sign-ins scanned by the extension.”