Google: Data Breaches Account For Most Stolen Credentials

In a study that ran from March 2016 to March 2017, researchers from Google, the University of California, Berkeley and the International Computer Science Institute discovered that data breaches were the No. 1 way to steal users’ account credentials. Far behind them were phishing and keyloggers.

Damage Caused By Stolen Credentials

Google said that users' online security often depends primarily on their email password. Once that email password is obtained, attackers can then recover the victim’s passwords from a multitude of other online services for which they had an account. Then, the attacker can download the victim’s private data, remotely wipe backups, or impersonate the victim to send spam, or worse.

This type of attack can affect high-profile internet users, for which Google has recently launched its Advanced Protection Program, but millions of regular users can be affected as well.

Google’s Study

Google analyzed stolen data from data breaches that has appeared on underground forums, phishing kits that trick users into submitting their details to fake login pages, and off-the-shelf keyloggers that harvest passwords from infected machines.


Modern off-the-shelf keyloggers can steal on-device password stores, harvest clipboard content, and screenshot a victim’s activity in addition to monitoring keystrokes. During their one-year study, the researchers identified 788,000 victims of keylogging. More than 10,700 of the stolen credentials were for banking accounts, and over 149,000 were email passwords stolen over a seven-month period in 2008.

There are now botnets that use keyloggers, too, so they can steal the credentials of every machine they infect. One of the botnets the researchers analyzed, Torpig, was able to steal 54,000 email passwords and 400,000 other credentials from HTTP forms over a 10-day period.

Keyloggers seem to disproportionately affect victims in countries such as Turkey, the Philippines, Malaysia, Thailand, and Iran.

Phishing Kits

Phishing Kits are “ready-to-deploy” packages for creating and configuring phishing content that also provide built-in support for reporting the stolen credentials to the attacker. Typically, these kits steal information such as: usernames, passwords, geolocation, and other sensitive data.

The researchers found 4,069 distinct phishing kits. The most popular phishing kit would emulate Gmail, Yahoo, and Hotmail login pages, and was used by 2,599 blackhat actors to steal over 1.4 million credentials. In total, the study found that 12.4 million credentials were stolen within the year. It also also found that the operators of the phishing kits and keyloggers seem to originate mainly from African and East-Asian countries.

Data Breaches

The researchers discovered that 1.9 billion credentials were stolen in data breaches, a number far greater than the number of credentials stolen via either keylogging or phishing. Many companies continue not to encrypted data at rest, even for sensitive information such as login details. This seems to be making it too easy for sophisticated attackers to steal hundreds of millions of account credentials in one big hack and then sell them online.

When comparing data leaked from data breaches, other researchers have found that 43% of the passwords were re-used across some major services.

Gmail Users Most Vulnerable To Phishing

Despite many more credentials being exposed via data breaches, the researchers found that this type of attack wasn’t the primary threat for Gmail users. For one, Gmail hasn’t had to deal with such major data breaches against its own service, so the attackers that try to compromise Gmail accounts typically take advantage of password re-use across services. If someone is using the same password for Gmail as they do for some other site that was hacked, then it’s easier to compromise the Gmail account.

The second reason why data breaches don’t affect Gmail users as much is because of Gmail’s additional security features. When someone tries to login from a different location, Google sometimes blocks access to those accounts and asks for additional information before allowing the user (or the attacker) to login.

For this reason, among the three types of attacks, phishing works best against Gmail accounts. The phishers can obtain geolocation, phone numbers, browser user-agents, and so on, which they can use to avoid Gmail’s automated protections.

According to the study’s researchers, only 7% of the victims having their credentials exposed in third-party data breaches had their Gmail accounts compromised, compared to 12% of the keylogger victims and 25% of the phishing victims.

The researchers also found that phishing victims had a 400x larger likelihood of having their Gmail account compromised compared to a random Gmail user. In comparison, this rate falls to 10x for data breach victims and roughly 40x for keylogger victims.

Two-Factor Authentication

As always, the best way to protect against having your accounts compromised is to use two-factor authentication. It’s even better if you use an “un-phishable” U2F security key.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.