From passwords to PII, Google account information readily available on black market
If you reuse your passwords across accounts, this one is for you. Around 12% of records compromised by data breaches include a username or password for Gmail, and 7% of those records are valid for reuse, according to Google research of account takeover and hijacker black markets.
Google accounts were especially targeted by phishing and keylogger schemes from March 2016 to March 2017, and 12-25% of attacks resulted in attackers acquiring a valid password. Phishing was the biggest threat to users, followed by keyloggers and third-party breaches.
As platform providers beef up authentication requirements for gaining access to accounts, attackers are no longer targeting just passwords. More than 80% of blackhat phishing tools and close to three-quarters of keyloggers also tried to yield an IP address and location from their attacks, and close to 20% of attack tools yielded a phone number as well as device make and model.
Email continues to serve as the backbone of business communication, so email security needs to be at the forefront of cybersecurity teams' minds. Just ask Deloitte how many problems a hack of employee and client emails can cause — especially when such a hack is performed through a single password portal that could easily be strengthened.
Increasingly sophisticated attacks and hackers certainly make it hard for platform providers to ensure best security practices. Google was able to use its research findings to secure 67 million accounts from abuse, and the company debuted a heightened protection program for Gmail users especially susceptible to personalized attacks in November.
While email providers can use encryption and other practices to secure sensitive data, ultimately the strength and security of their platform is only as strong as the weakest user. And human error has shown time and again how accidentally susceptible users are to phishing scams, ransomware and other personalized attacks.
Bill Burr, the father of modern password policies, recently said the password policies and recommendations he wrote in 2003 don't actually protect users, and the National Institute of Standards and Technology revamped best practices to remove arbitrary character and frequent reset requirements.
Making the perfect password to ward off attacks may be an impossible task, but most users should recognize that some of the onus falls on them. Among the top 10 passwords across plaintext leaks were "123456," "password," "qwerty," "abc123," "password1" and "123456789," according to Google's research.
Multifactor authentication can help reinforce access points, and the Social Security Administration and Department of Veterans Affairs have both found success in this simple security measure. However, as multifactor authentication slowly expands to include biometrics, users and providers will have to face a coming battle of how much personal information is too much to surrender for the sake of secure login
- Google Security Blog New research: Understanding the root cause of account takeover
Follow Alex Hickey on Twitter