Google: 1.5% of all login attempts use compromised passwords

Report says popular sites like Netflix and a number of government portals are at risk of 'credential stuffing'

Figures from Google's recently released Password Checkup extension have revealed 1.5% of sign-in attempts are being made using details that have been compromised in data breaches.

Despite being regularly notified that their details have been leaked to hackers, a large proportion of users fail to change their passwords or deactivate accounts, according to the data.

Advertisement - Article continues below

Only 26% of users with compromised details changed their passwords after being notified by the extension, and just 60% of these changes were actually secure against brute force guessing.

The extension constantly monitors a user's login attempts and scans them against a database of 4 billion usernames and passwords known to have been involved in third-party data breaches.

Around 650,000 users participated in the experiment which saw 21 million login attempts scanned and analysed. Google said 316,000 of these logins used unsafe credentials, equating to roughly 1.5% of all attempts.

"Hijackers routinely attempt to sign in to sites across the web with every credential exposed by a third-party breach," said Google. "If you use strong, unique passwords for all your accounts, this risk disappears."

Using anonymous telemetry gathered from the extension, Google was able to determine the relative credential stuffing risk to the type of website used.

Advertisement - Article continues below

For example, the highest risk of successful credential stuffing attacks using compromised login details would be on popular entertainment sites such as Netflix, while the likes of government online portals and online banking platforms, although at a much lower risk, were still vulnerable to these types of attacks.

Advertisement - Article continues below

Credential stuffing is a crude method attackers use to break into people's accounts which involves taking stolen login details and spamming different sites with these details, often using automated programs, in the hope of gaining access to more potentially sensitive data.

It differs from brute force attacks which involve trying to guess passwords or other details in multiple login attempts on a string of sites.

Until now, the extension hasn't afforded users the right to opt-out of having their anonymised telemetry sent back to the company, however, Google has since made this an option.

"By design, the Password Checkup extension ensures that Google never learns your username or password, regardless of whether you enable telemetry, but we still want to provide this option if users would prefer not to share this information," said Google.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020

Most Popular

Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

How to find RAM speed, size and type

24 Jun 2020
cyber attacks

Trump confirms US cyber attack on Russia election trolls

13 Jul 2020