Google's Data on Login Thefts

This is interesting research and data:

With Google accounts as a case-study, we teamed up with the University of California, Berkeley to better understand how hijackers attempt to take over accounts in the wild. From March 2016 to March 2017, we analyzed several black markets to see how hijackers steal passwords and other sensitive data.

[...]

Our research tracked several black markets that traded third-party password breaches, as well as 25,000 blackhat tools used for phishing and keylogging. In total, these sources helped us identify 788,000 credentials stolen via keyloggers, 12 million credentials stolen via phishing, and 3.3 billion credentials exposed by third-party breaches.

The report.

Posted on November 13, 2017 at 6:11 AM • 23 Comments

Comments

meNovember 13, 2017 6:36 AM

this means that i need a password manager:
i always avoided them because i think they can't protect me in case of keylogger.
so i never saved a password (if it is not stored you can't steal it).
in this way a keylogger could steal only a password that i write while the keylogger is present.
for example if i am hacked today and antivirus find the keylogger tomorrow only the password inserted between today and tomorrow are compromised.
if i was using a password manager or saving the password i had to assume that ALL my password were compromised.

but...

from the number of databreach and from this research that confirm my idea i have to assume that is easier to compromise third party than my pc.
also having a different password for each important service (and the same weak for all the other stuff) is not scaling well.
also thanks to Qubes OS i can finally have a secure password manager.

RonKNovember 13, 2017 6:57 AM

@me

> also thanks to Qubes OS i can finally have a secure password manager.

Personally, I think that if you are using Qubes OS you are enough of an outlier that applying the statistics of the article would be questionable.

Clive RobinsonNovember 13, 2017 7:26 AM

Password managers are a nice idea but it still leaves you with the "static password" issue.

One solution is "One time passwords" but they cause probs to service provider help desks...

AdamantNovember 13, 2017 7:54 AM

Static passwords is an issue just like static keys to your home are an issue. Meaning, it isn't really that much of an issue. It is a much bigger issue to have the same key to multiple homes, just like having the same password for multiple accounts.

A bigger issue is having the same user name for multiple accounts. A password manager not only helps you manage different passwords, it helps you manage different user names. Another valuable tool is abine.com so you can use a different email address for every account.

AndersNovember 13, 2017 8:16 AM

I never have used any password manager and never will.

I use passphrases. For each online service i think some unique passphrase with white spaces that describes that service, in my own native language. Since those passphrases describe that service and there's a connection between service and passphrase i never forget it.

Petre PeterNovember 13, 2017 10:07 AM

Remember! It is not secure if i can memorize it. It can be considered compromised if i write it on paper. Biometrics cannot be easily changed. When combining "Something i know. Something i have. Something i am" i become The Temple of i and i. All i have to worry about afterwards is Shang Tsung.

David RudlingNovember 13, 2017 5:01 PM

@Bruce
Thank you for highlighting a very interesting report. i have just finished reading through this 14 page document and admit I have only read it through once but I failed to find the figure of 3.3 billion you mentioned. The figure of 1.9 billion occurred a couple of times however in essentially the same context. Are you sure about the 3.3 billion figure? Even so, whether 3.3 or 1,9 billion the lesson is that third party breaches accounted for almost all the incidents. The 0.788 million keylogger and the 12.4 million phishing breaches are completely dwarfed in comparison.

David RudlingNovember 13, 2017 5:04 PM

@Bruce
I have just spotted that the 3.3 billion figure is quoted in the Google Blog but it appears not to be substantiated by the full report.

AlejandroNovember 13, 2017 5:37 PM

It's becoming more clear to me every day government and corporations should NOT be allowed to store any personal information online, at all!

Find another way!Either keep it off line which likely is sketchy, or completely delete it altogether when it's no longer necessary for a specific transaction.

Of course that will never happen.

Users need to work very hard at filling the beast with lies and fake data in order to confuse and blind it.

What if, for example, my real name was not....Alejandro Murieta?

AlexanderNovember 13, 2017 6:40 PM

@Anders
That only works if the system actually allows arbitrary-length passwords. While the number of systems that cap password length at 20 or 8 (crypt) characters is decreasing, there is always bcrypt, which caps at 72 chars.

Only a few year ago, I found an svn repository where the password was cropped to the first 8 characters. I found out because I typoed my password, but managed to commit anyway.

justina colmenaNovember 13, 2017 9:22 PM

easy lesson

vendors: store passwords salted and encrypted in databases

customers: use a separate password for each vendor

mostly harmfulNovember 15, 2017 12:45 AM

@ Michael

From Pudd'nhead Wilson's Calendar (Mark Twain):


Behold, the fool saith, "Put not all thine eggs in the one basket." Which is but a manner of saying, "Scatter your money and your attention."


But the wise man saith, "Put all your eggs in the one basket, and WATCH THAT BASKET."


Edward MorbiusNovember 15, 2017 12:51 PM

The 3.3 billion credentials figure compares roughly to the total number of Google Android credentials. This used to be available as an infographic online, though it can also be imputed via the sitemap files for Google+ (a fact I used to ... some advantage ... in early 2015). You'll need to download about 25 GB of files to get the full count.

This suggests that at least by magnitude, any given credential is likely to be compromised.

I'd also like to see the correspondence of methods against a ranking of the accounts compromised by relative risk. E.g., is some random retiree in Yorkshire considered as relevant a risk as, oh say, John Podesta.

The latter's password was specifically phished, with intent and to specific ends.

Google is CrooksNovember 15, 2017 5:32 PM

@fred

Yes, I find their solutions strangely suspicious. The underlying argument is that in order to protect one from phishing, Google needs even more of your personal data. They write, "For these accounts, we show how hardening authentication mechanisms to include additional risk signals such as a user's historical geolocations and device profiles helps to mitigate the risk of hijacking."

Well yes because device profiles allow Google to track one across multiple sites and geolocation data is part of their advertising matrix.

Now what about a Yubikey?

Oh well they can't sell that data...

kermitNovember 15, 2017 9:02 PM

is google actually as "bad" as people who are "in the know" say they are?

wouldn't google have the best security around and be one of the best solutions for any type of cloud especially for people who are traveling or
need to keep secrets from other eg
competitors?

- even if they do get to see everything?

a lot of ios users are installing google apps or using them - does this mean android is better because only google can see - not apple + google?

TMNovember 16, 2017 3:54 AM

If it's sensitive, use multi-factor. Relying on static passwords where it counts is nonsense, with or without password manager.

Google is CrooksNovember 16, 2017 11:24 AM

@kermit

The issue isn't whether Google has good security, for course they do. The issue is whose interests does Google serve? They serve the interests of their shareholders who demand a monetary return on an investment. So Google's advanced security is a honeypot designed to lure users in with promises of safer data and then sell you out to advertisers, the FBI, and whoever else they can turn the data over too. So of course your data is safe with Google...but why would you trust Google to protect /your/ interests?

@Google is KrooksNovember 22, 2017 11:30 AM

So what's the alternative? Protonmail? Gimme a break!

Uber breach shows why G is the best we can hope for or don't email at all because the person you are emailing will use it or related services

Surpised AWS is so open about its latest product though

MikeyNovember 24, 2017 6:17 AM

@Google is Krooks

- https://www.csoonline.com/article/3066841/internet/google-suffers-data-breach-via-benefits-provider.html

- https://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/

- https://www.washingtonpost.com/world/national-security/chinese-hackers-who-breached-google-gained-access-to-sensitive-data-us-officials-say/2013/05/20/51330428-be34-11e2-89c9-3be8095fe767_story.html

Irrespective if you like or dislike Google or whatever your views are, it's naive to think Google is the best hope for us all. Are Google good at security? Yes, very. Are Google infallible? Of course not. Do Google collect an obscene amount of data on users of their services and non users in the case of Google Analytics etc, yes, incredibly so.

Do the permissions freely granted and required for the stock closed source Google Apps on Android devices (not to mention the ones you also install via Google Play) make Apple look like saints by comparison? In my eyes yes. Do I own either No.

I also think this is a very interesting read on Google - https://medium.com/insurge-intelligence/how-the-cia-made-google-e836451a959e


But I give zero credence to the idea that giving MORE details to Google is the solution to help stop login thefts. A hardware key along the lines of YubiKey with a long passcode seems the way forward to me. It works well for Ledger Nano and Trezor and others for hardware Crypto wallets.

In reply to "So what's the alternative? Protonmail? Gimme a break!" - do you want to substantiate that a bit more? To replace Gmail I don't see why not, especially now with their beta integration into Thunderbird or Outlook desktop.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.