Google study shows how your account is most likely to be hijacked
Security threats like phishing, keylogging and third-party breaches are pretty common knowledge. Google wanted to gain a better understanding of how hijackers steal passwords and other sensitive data in the wild, though, so it conducted an analysis of online black markets from March 2016 to March 2017. The result? It found that among the three, phishing poses the biggest threat to your online security. Together with credential leaks, the two represent a threat “orders of magnitude larger than keyloggers.”
The tech titan found 788,000 credentials that were stolen via keyloggers, 12 million stolen via phishing and 3.3 billion exposed by third-party breaches within a year of investigating black markets. A total of 12 percent of the exposed records it found used Gmail addresses as a username, and seven percent of those accounts reused the Gmail password for other services, making them more vulnerable than the others.
Howevever, since Google incorporates safety measures to prevent strangers from logging into your account, the company also saw increasingly sophisticated tools capable of collecting data other than usernames and passwords. Among the phishing tools and keyloggers Google examined, 82 percent and 74 percent, respectively, have the capability collect IP addresses. It also found tools that can collect phone numbers, as well as devices’ make and model. Hijackers can then use those info to authenticate the identities of the accounts they’re stealing.
Mountain View says it applied what it learned from the study to its “existing protections and secured 67 million Google accounts before they were abused.” It launched new security features over the past year, as well, including Advanced Protection to secure the accounts of people most likely to be hacked, such as celebrities and politicians. Despite providing ample protection for your accounts, Google still recommends using a password generator and activating two-factor authentication to make your credentials “unphishable.”
Source: Google Security Blog