Google: 1.5% of all login attempts use compromised passwords

Report says popular sites like Netflix and a number of government portals are at risk of 'credential stuffing'

Figures from Google's recently released Password Checkup extension have revealed 1.5% of sign-in attempts are being made using details that have been compromised in data breaches.

Despite being regularly notified that their details have been leaked to hackers, a large proportion of users fail to change their passwords or deactivate accounts, according to the data.

Only 26% of users with compromised details changed their passwords after being notified by the extension, and just 60% of these changes were actually secure against brute force guessing.

The extension constantly monitors a user's login attempts and scans them against a database of 4 billion usernames and passwords known to have been involved in third-party data breaches.

Around 650,000 users participated in the experiment which saw 21 million login attempts scanned and analysed. Google said 316,000 of these logins used unsafe credentials, equating to roughly 1.5% of all attempts.

"Hijackers routinely attempt to sign in to sites across the web with every credential exposed by a third-party breach," said Google. "If you use strong, unique passwords for all your accounts, this risk disappears."

Using anonymous telemetry gathered from the extension, Google was able to determine the relative credential stuffing risk to the type of website used.

For example, the highest risk of successful credential stuffing attacks using compromised login details would be on popular entertainment sites such as Netflix, while the likes of government online portals and online banking platforms, although at a much lower risk, were still vulnerable to these types of attacks.

Credential stuffing is a crude method attackers use to break into people's accounts which involves taking stolen login details and spamming different sites with these details, often using automated programs, in the hope of gaining access to more potentially sensitive data.

It differs from brute force attacks which involve trying to guess passwords or other details in multiple login attempts on a string of sites.

Until now, the extension hasn't afforded users the right to opt-out of having their anonymised telemetry sent back to the company, however, Google has since made this an option.

"By design, the Password Checkup extension ensures that Google never learns your username or password, regardless of whether you enable telemetry, but we still want to provide this option if users would prefer not to share this information," said Google.

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Recommended

What are biometrics?
Security

What are biometrics?

27 Nov 2020
Black Friday's best antivirus deals
Security

Black Friday's best antivirus deals

27 Nov 2020
Veritas Access Appliance with IBM Spectrum® Protect
Server & storage

Veritas Access Appliance with IBM Spectrum® Protect

27 Nov 2020
Ransomware protection with Veritas NetBackup Appliances
Security

Ransomware protection with Veritas NetBackup Appliances

27 Nov 2020

Most Popular

80% of cyber professionals say the Computer Misuse Act is working against them
Security

80% of cyber professionals say the Computer Misuse Act is working against them

20 Nov 2020
Cisco acquires container security startup Banzai Cloud
Security

Cisco acquires container security startup Banzai Cloud

18 Nov 2020
46 million Animal Jam accounts leaked after comms software breach
Security

46 million Animal Jam accounts leaked after comms software breach

13 Nov 2020