The folks at Google teamed up with Carnegie Mellon to undertake an extensive study on how accounts get compromised.

By searing the dark web, they identified some troubling things:

  • 788,000 potential victims of off-the-shelf keyloggers
  • 4 million potential victims of phishing kits
  • 9 billion usernames and passwords exposed via data breaches and traded on black-market forums
  • 3 billion credentials stolen by third-party breaches

Read the study reports here and here.

Stolen passwords

Some people just don’t learn.  Of the stolen passwords, 12% included a Gmail address that was used for both the user name and password.  It’s kind of hard to defend “Bill1234” when his password is also “Bill1234.”

Phishing scheme and keyloggers were also identified as a primary source for stolen passwords.  By Google’s estimate, between 12-25% of attacks snagged a valid password.  82% of phishing tools and 74% of keyloggers also tried to grab IP address and location data.  Nearly 20% tried to get phone numbers and device data.

Eroding Trust

64% of Americans say they have personally experienced a data breach, according to Pew Research.  No doubt stories like the 1 billion Yahoo accounts hacked, or the Equifax breach that exposed the data of 145 million people, or Wells Fargo leaking 50,000 client records, don’t help public trust.

eroding trust