Security alert from Google: one million account credentials are stolen every month

Adjust Comment Print

More than 15 percent of daily internet users have reported that they have faced the same problem with their email or social media account. However, despite its familiarity, there is a dearth of research about the root causes of hijacking.

Google teamed up with UC Berkeley for the research, in which they analysed "several black markets" that traded third-party password breaches and 25,000 blackhat tools used for phishing and keylogging, between March 2016 and March 2017.

The largest number of stolen logins that Google found for sale on black markets totalled 3.3 billion and came from third-party data breaches.

Google presented their findings during the Conference on Computer and Communications Security (CCS), a full copy is available online.

The Google team published their findings, which they deemed "immediately useful", in a blog post.

However, Google advised users to follow few simple steps to avoid such online hacks and said that it will help to make the account more secure.

Yemen rebels say Saudi raid on Sanaa airport hinders aid shipments
Noting that there were three weeks of vaccines left in the country, McGoldrick said "humanitarian supplies are dangerously low". Last week, the World Health Organization warned that more Yemeni civilians will die over the closure of the Yemeni ports.

"These sources helped us identify 788,000 credentials stolen via keyloggers, 12 million credentials stolen via phishing, and 3.3 billion credentials exposed by third-party breaches".

Google has conducted a study that delves deeper into how accounts get hacked, taken over, or hijacked. Phishing and keylogging attempts often targeted Google accounts but were only somewhat successfully with 12 to 25 per cent producing a valid password.

However, because a password alone is rarely sufficient for gaining access to a Google account, increasingly sophisticated attackers also try to collect sensitive data that we may request when verifying an account holder's identity. And if the hackers are not able to hijack any account then in that case they are using secret tools for extracting the personal details including: phone numbers, IP addresses, device types and locations of users.

Google said the majority of those using phishing kits and keyloggers to compromise credentials are concentrated in Nigeria, followed by the United States, Morocco, South Africa, United Kingdom, and Malaysia.

The study, which was conducted by researchers from Google and UC Berkeley, also revealed that hundreds of millions of usernames and passwords are now being traded on black markets that can be used to access Google accounts. Since human errors are hard to prevent, experts believe existing protections should be upgraded in order to keep users safe and stay ahead of hackers. "When we find any, we lock down the affected accounts to prevent any further damage as quickly as possible". For example, Safe Browsing, which now protects more than 3 billion devices, alerts users before they visit a risky site or when they click a link to a unsafe site within Gmail. For stronger security, there's also the company's Advanced Protection program that consists of three core defenses, including but not limited to Security Keys.