Google Research Finds Stolen Credentials For Sale
A study of dark web markets by Google has found millions of usernames and passwords that were stolen directly through attacks, and billions of usernames and passwords indirectly exposed in third-party data breaches.
The research, conducted between March 2016 and March 2017 in partnership with the University of California at Berkeley, involved creating an automated system to scan public websites and criminal forums for stolen credentials.
The researchers identified 788,000 credentials stolen via keyloggers, 12 million credentials stolen via phishing and 3.3 billion credentials exposed by third-party breaches. Also, in the case of the third-party data breaches, 12% of the exposed records included a Gmail address serving as a username and a password.
Also, as account reset often requires a third factor like a phone, 82% of blackhat phishing tools and 74% of keyloggers attempted to collect a user’s IP address and location, while another 18% of tools collected phone numbers and device make and model.
Google said that the research has enabled it to apply security protections to prevent 67 million Google accounts from being abused.
Lisa Baergen, director at NuData Security, said: “This news affects every company, in every sector. Many people (including employees) continue to reuse usernames and passwords across many sites. Is it time for employer policies that prohibit the employee’s use of off-duty passwords for corporate email accounts, and likewise, the use of workplace emails as secondary verification for personal accounts? A leap from a user’s personal Gmail account into their workplace account sets up a scenario for new levels of successful Whale Phishing.
“The news of ongoing, massive-scale theft of Gmail credentials should be a wake-up call that it’s time to fundamentally re-think authentication, and incorporate continuous validation techniques data that can’t be mimicked, such as passive biometrics. Email contains so much strategic information – it’s time to equip that ubiquitous yet critical application with the security it deserves.”