25% of the Nearly Two Billion Stolen Google Passwords Still Work

According to new research by Google and Berkeley, there are "hundreds of millions" of pieces of stolen login information traded on hacker forums and the dark web - and some of it still works.  This research used Googles own internal data for analysis, and researchers estimated that up to 25% of these credentials are still current and their associated accounts exposed.  According to the report: "Through a combination of password re-use across thousands of online services and targeted collection, we estimated 7–25% of stolen passwords in our dataset would enable an attacker to log in to a victim’s Google account and thus take over their online identity due to transitive trust."

The issue is rooted simply is the practice of reusing passwords across multiple platforms - email, Twitter, Facebook, banking, etc.  If one platform is compromised, a common username and password could work elsewhere, and hackers know to check.  And, the ultimate prize is access to an email account, which provides a buffet into a person's online presence via information and password resets.  It's not just the little guys who are getting hacked: Channing Tatum, Google CEO Sundar Pichai, CTO Werner Vogels, and even Mark Zuckerberg himself have been subject to compromised accounts.  In Zuckerberg's case it was his common password of "dadada" on his Twitter and Pinterest accounts that got him into trouble and his Twitter was hijacked by a group calling themselves OurMine.

So, how are hackers getting these credentials in the first place?  The first way is of course through hacking a platform and stealing databases of information, but the second method is phishing, which despite awareness is still quite successful.  A third also exists too - keylogger viruses that surreptitiously send a user's login info to a hacker as they log into their accounts.  Research also found that these viruses have not evolved over the years either - meaning that operating system developers aren't building resistance into their platforms.

All of this begs the question..."what can I do?" and there are a few things you can do to help protect yourself.  The researchers of this study recommend the following:

  • Enabling two factor authentication - meaning that logging into an account not only requires a username and password, but also a code sent via text message to a separate device or account.
  • Use a password manageer - these utilities can generate unique passwords for each of your accounts (and also helps you remember them).
  • Don't use insecure passwords - passwords like 123456 or abc123 are just asking for trouble, so use a password that uses a hard-to-guess combination of letters, numbers, and symbols.

Using the above methods to secure your online presence is a great starting point, but one should always be cautious of unsolicited emails requesting a login, or sketchy links.  And what became of the accounts that the researchers found to be compromised?  Google enabled a forced password reset on them.

This article was based on a November 13, 2017 TechInsider.com article by Kif Leswing.

Date: 
November 14, 2017