Disclosed are systems, methods, and non-transitory computer-readable storage media for detecting compromised credentials. In some implementations, a content management system can receive information identifying compromised login credentials (e.g., account identifier, password, etc.) from a third party server. The login credentials can be represented by a first hash value generated using a hashing algorithm. When a user logs in to the content management system the user can provide the user's account identifier and password for the content management system. The content management system can generate a second hash value from the user-supplied password using the same hashing algorithm used for the compromised login credentials. The content management system can determine whether the second hash value matches the first hash value and prompt the user to provide a new password for the user's content management system account when the second hash value matches the first hash value.