Google Research Finds Stolen Credentials For Sale

[Exterminator]

A study of dark web markets by Google has found millions of usernames and passwords that were stolen directly through attacks, and billions of usernames and passwords indirectly exposed in third-party data breaches.

The research, conducted between March 2016 and March 2017 in partnership with the University of California at Berkeley, involved creating an automated system to scan public websites and criminal forums for stolen credentials.

The researchers identified 788,000 credentials stolen via keyloggers, 12 million credentials stolen via phishing and 3.3 billion credentials exposed by third-party breaches. Also, in the case of the third-party data breaches, 12% of the exposed records included a Gmail address serving as a username and a password.

Also, as account reset often requires a third factor like a phone, 82% of blackhat phishing tools and 74% of keyloggers attempted to collect a user’s IP address and location, while another 18% of tools collected phone numbers and device make and model.

Google said that the research has enabled it to apply security protections to prevent 67 million Google accounts from being abused.

Lisa Baergen, director at[a href="https://eu.vocuspr.com/Tracking.aspx?Data=HHL=?3509&JDG<;493919&SDG<:0<2>

“The news of ongoing, massive-scale theft of Gmail credentials should be a wake-up call that it’s time to fundamentally re-think authentication, and incorporate continuous validation techniques data that can’t be mimicked, such as passive biometrics. Email contains so much strategic information – it’s time to equip that ubiquitous yet critical application with the security it deserves.”

 

[Lightning_Brian]

The dark web! Should we be happy that it was Google that found this information (possible data mining)? In either case, I'm happy this information was brought to light and talked about. I'm also happy that University of California at Berkeley is doing something that can benefit everyone across the world. I had no idea this program even existed until you brought it to light in your posting @Exterminator ! Thanks for the informative posting. This goes to show how important it is to not fall victim to phishing scams, keyloggers (always have the anti-keylogger technology), and be mindful of any breaches.

Excellent posting!

 

[shmu26]

The dark web! Should we be happy that it was Google that found this information (possible data mining)? In either case, I'm happy this information was brought to light and talked about. I'm also happy that University of California at Berkeley is doing something that can benefit everyone across the world. I had no idea this program even existed until you brought it to light in your posting @Exterminator ! Thanks for the informative posting. This goes to show how important it is to not fall victim to phishing scams, keyloggers (always have the anti-keylogger technology), and be mindful of any breaches.

Excellent posting!

By far the largest chunk of leaked data came from hacked 3rd party sites.
And you can't do anything about that -- except for the obvious, which is DON'T use your gmail credentials to sign up for other sites.

 

[cruelsister]

Guys- Screw Gmail Login and Password credentials. What should be of the upmost concern (and a topic for a paper) is private software signing key and ftp credential theft. That should be enough to make one's Blood run Cold and would be more consequential than a Blackhat peeking in to your Yahoo email Trash folder.

 

[shmu26]

Guys- Screw Gmail Login and Password credentials. What should be of the upmost concern (and a topic for a paper) is private software signing key and ftp credential theft That should be enough to make one's Blood run Cold and would be more consequential than a Blackhat peeking in to your Yahoo email Trash folder.

That's scary.