Google: 1.5% of all login attempts use compromised passwords

Report says popular sites like Netflix and a number of government portals are at risk of 'credential stuffing'

Figures from Google's recently released Password Checkup extension have revealed 1.5% of sign-in attempts are being made using details that have been compromised in data breaches.

Despite being regularly notified that their details have been leaked to hackers, a large proportion of users fail to change their passwords or deactivate accounts, according to the data.

Only 26% of users with compromised details changed their passwords after being notified by the extension, and just 60% of these changes were actually secure against brute force guessing.

The extension constantly monitors a user's login attempts and scans them against a database of 4 billion usernames and passwords known to have been involved in third-party data breaches.

Around 650,000 users participated in the experiment which saw 21 million login attempts scanned and analysed. Google said 316,000 of these logins used unsafe credentials, equating to roughly 1.5% of all attempts.

Advertisement - Article continues below
Advertisement - Article continues below

"Hijackers routinely attempt to sign in to sites across the web with every credential exposed by a third-party breach," said Google. "If you use strong, unique passwords for all your accounts, this risk disappears."

Using anonymous telemetry gathered from the extension, Google was able to determine the relative credential stuffing risk to the type of website used.

For example, the highest risk of successful credential stuffing attacks using compromised login details would be on popular entertainment sites such as Netflix, while the likes of government online portals and online banking platforms, although at a much lower risk, were still vulnerable to these types of attacks.

Credential stuffing is a crude method attackers use to break into people's accounts which involves taking stolen login details and spamming different sites with these details, often using automated programs, in the hope of gaining access to more potentially sensitive data.

It differs from brute force attacks which involve trying to guess passwords or other details in multiple login attempts on a string of sites.

Advertisement - Article continues below

Until now, the extension hasn't afforded users the right to opt-out of having their anonymised telemetry sent back to the company, however, Google has since made this an option.

"By design, the Password Checkup extension ensures that Google never learns your username or password, regardless of whether you enable telemetry, but we still want to provide this option if users would prefer not to share this information," said Google.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020