Skip to Content
Security & privacy

Is your username and password for sale on the Black Market?

With all the high-profile data breaches and malware threats that put us at risk every day, have you ever thought about how much of our personal information is really floating around out there?

Have you ever wondered that with all the wealth of personal data being peddled and sold in black markets and the Dark Web, are online users constantly at risk of account takeovers and hijackings?

In an effort to understand and analyze how cybercriminals operate to steal our information to take over our accounts, one tech giant sought to find out how vulnerable we really are.

Billions of usernames and passwords at risk

New findings by Google and the University of California Berkeley revealed that anyone who has an email account is still highly vulnerable to three forms of attacks – phishing, keyloggers and third-party breaches.

The research analyzed how cybercriminals in underground markets steal, use and monetize stolen user information such as usernames and passwords.

By checking black market activity from March 2016 to March 2017, the team aimed to find out how the wide availability of keyloggers, phishing kits, and information from data breaches can be used to steal online identities.

During that period, the research team tracked several black markets that sold stolen credentials from data breaches plus 25,000 blackhat hacking tools used for keylogging and phishing.

Their results are truly alarming. According to Google’s security blog, these sources helped them identify 788,000 credentials stolen via keyloggers, 12 million credentials stolen through phishing and a whopping 3.3 billion credentials pilfered via third-party data breaches.

It affects all online services

Although the researchers sought to analyze the impact of this data on Google services, they said that these credential stealing tactics can be used across all account-based online services.

Why? First, there’s a problem with password reuse. The study actually found that 12 percent of the exposed data included a Gmail address as a username and password and amazingly, 7 percent of these passwords were valid due to credential reuse.

The team also revealed that phishing attempts and keylogging malware frequently target Google accounts with 12 to 25 percent of such attacks successfully yielding a valid password.

However, with the popularity of multi-level authentication, a stolen password is often no longer enough to take over an account.

For this reason, cybercriminals are now aiming to collect other sensitive data that can verify a user’s identity. They found that 82 percent of the phishing tools and 74 percent of keyloggers also attempted to collect various information such as a user’s IP address and location. An additional 18 percent of the tools collected phone numbers and the make and model of the device used.

Based on relative risk to users, Google ranked phishing as the greatest threat, followed by keylogging and finally, third-party data breaches.

Defenses need to evolve

Based on these findings, Google stated that it is already using the data for its existing account protections and the study is a reminder that it must continuously evolve its defenses to protect its users.

The company stated that systems such as Safe Browsing and its new Advanced Protection program help them prevent attacks before they affect their users.

All login attempts to a Google account are also closely monitored for suspicious activity via dynamic verification challenges. When there is a sign-in attempt from a new device or location, Google requires more information before granting access to an account.

For added protection, Google also stated that they regularly scan their suite of products for any suspicious activities. If detected, they immediately lock down the affected accounts to prevent further damage.

How to protect yourself

If you want to check if your information has been stolen in a prior breach, you can enter your email address at HaveIBeenPwned. This site monitors hacker sites and collects new data every five to 10 minutes about the latest hacks and exposures.

Since phishing is still the number one data theft risk, you should be extra vigilant with all the email messages you receive. If you get an email or notification from a site that you find suspicious, never click, follow nor open its links and attachments. Take our phishing IQ test to see if you can spot a fake email.

Also, never reuse the same password across multiple online accounts. Many people use the same username and password on multiple sites. This is a terrible practice and you should never do it. If you’re using the same credentials on multiple sites, change them immediately to make them unique.

Watch out for social engineering scams too. Unsuspecting people are mistakenly handing over sensitive information to scammers all too often. If you receive an unsolicited email, do not reply with personal information. You don’t want it to fall into the hands of criminals.

Finally, when available, you should be always be using multi-level authentication. This kind of authentication means that to log in to your account, you need other ways to prove you are who you say you are. This should give you another layer of protection in the event that your password gets compromised. Click here to learn how to set up two-factor authentication. 

To read the whole research paper, click here.

To read Google’s security blog, check its official security blog.

Fast-spreading malware clever disguise is duping millions

Speaking of massive phishing attacks, a new scam is making the rounds and watch out, the scammer impersonates someone you know. Click here to read more about this latest phishing scam.

Komando Community background

Join the Komando Community

Get even more know-how in the Komando Community! Here, you can enjoy The Kim Komando Show on your schedule, read Kim's eBooks for free, ask your tech questions in the Forum — and so much more.

Try it for 30 days