Billions of stolen user names and passwords are available on black market forums.
Using internal Google data, researchers found between 7% and 25% of these stolen passwords would work on a Google search or Gmail account.
Gmail, Yahoo, and Hotmail users make up 50% of the victims of stolen passwords in the study — even though the passwords were stolen from different services such as MySpace or LinkedIn.
There are hundreds of millions of usernames and passwords traded on black markets that can be used to access Google accounts, write Google and Berkeley researchers in a major new paper.
The study, published over the weekend, uses Google's own, carefully controlled internal "proprietary data" as a case-study to see whether the hacked passwords and other accounts traded on hacker forums and the dark web actually work on real accounts.
It turns out, the researchers write, that as many as 25% of exposed passwords from data breaches traded on black market forums could be used to take control of a Google account.
Google ResearchFrom the report:
"Through a combination of password re-use across thousands of online services and targeted collection, we estimated 7–25% of stolen passwords in our dataset would enable an attacker to log in to a victim’s Google account and thus take over their online identity due to transitive trust."
There are over 1.9 billion usernames and passwords on "black market" forums, write the researchers.
Basically, what this means, is because lots of people used the same password for their, say, MySpace account and their Google account, then when MySpace's database was breached, hackers could simply try all the breached passwords on Google, hoping that some would work.
MySpace isn't the only big site that's seen its database of usernames and associated password data breached.
This problem with password reuse has resulted in some of the most high-profile "hacks" in recent years. For example, Facebook CEO Mark Zuckerberg used the same password — "dadada" — for his Twitter and Pinterest accounts, which were briefly taken over in 2016 by hackers calling themselves the OurMine team.
OurMine, reportedly using stolen passwords, also targeted Google CEO Sundar Pichai, actor Channing Tatum, and Amazon CTO Werner Vogels.
Google ResearchThe researchers also looked at the specific pieces of malware used for phishing and for secretly recording what a user types.
Phishing tools are used to include links in fake emails that display websites that look the same as Yahoo, or Hotmail, so an unsuspecting users simply type their passwords into the sketchy site. There are 12.4 million potential victims of these kits, write the researchers.
There are also thousands of different "keyloggers," which run on a victim's computer and sends information back to an attacker, according to the report. These keyloggers have names like "HawkEye" or "Cyborg Logger."
It turns out, though there are lots of developers selling and distributing this kind of malware, there really haven't been any updates to how the core technology works in years.
"Compared to the capabilities of keyloggers and phishing kits dating back to the mid-2000s. we observe a marked lack of pressure on blackhat developers to evolve their core technologies," the researchers write.
"Phishing kits reported nearly a decade ago still rely on the same PHP skeleton and approach for reporting stolen credentials," it continued.
What you can do
Google ResearchThe researchers say there are a few easy steps companies like Google and users can take to protect themselves.
The researchers recommend two-factor authentication, which means that when logging in, a user would need a special security key or to type in a code sent through a text message to gain full access to an account.
The researchers also recommend using a password manager, which creates a new random password for each site — so if one site is breached, then hackers don't have access to your other accounts, especially your email.
Another easy thing to do is to not use an insecure password, especially one of the most commonly used passwords like "123456" or "abc123," especially if you're one of the Americans who are four times more worried about getting hacked than murdered.
"For all Google users in our dataset, we re-secure all accounts via a forced password reset in the event their real credentials were exposed," the researchers noted.
Companies such as Google should consider encouraging its users to follow these practices too, the researchers write. The whole report is available from Google.