Google: 1.5% of all login attempts use compromised passwords

Report says popular sites like Netflix and a number of government portals are at risk of 'credential stuffing'

Figures from Google's recently released Password Checkup extension have revealed 1.5% of sign-in attempts are being made using details that have been compromised in data breaches.

Despite being regularly notified that their details have been leaked to hackers, a large proportion of users fail to change their passwords or deactivate accounts, according to the data.

Only 26% of users with compromised details changed their passwords after being notified by the extension, and just 60% of these changes were actually secure against brute force guessing.

The extension constantly monitors a user's login attempts and scans them against a database of 4 billion usernames and passwords known to have been involved in third-party data breaches.

Around 650,000 users participated in the experiment which saw 21 million login attempts scanned and analysed. Google said 316,000 of these logins used unsafe credentials, equating to roughly 1.5% of all attempts.

"Hijackers routinely attempt to sign in to sites across the web with every credential exposed by a third-party breach," said Google. "If you use strong, unique passwords for all your accounts, this risk disappears."

Using anonymous telemetry gathered from the extension, Google was able to determine the relative credential stuffing risk to the type of website used.

For example, the highest risk of successful credential stuffing attacks using compromised login details would be on popular entertainment sites such as Netflix, while the likes of government online portals and online banking platforms, although at a much lower risk, were still vulnerable to these types of attacks.

Credential stuffing is a crude method attackers use to break into people's accounts which involves taking stolen login details and spamming different sites with these details, often using automated programs, in the hope of gaining access to more potentially sensitive data.

It differs from brute force attacks which involve trying to guess passwords or other details in multiple login attempts on a string of sites.

Until now, the extension hasn't afforded users the right to opt-out of having their anonymised telemetry sent back to the company, however, Google has since made this an option.

"By design, the Password Checkup extension ensures that Google never learns your username or password, regardless of whether you enable telemetry, but we still want to provide this option if users would prefer not to share this information," said Google.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Recommended

Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
How to enable private browsing on any device
privacy

How to enable private browsing on any device

22 Sep 2020
Third-party apps are tracking your WhatsApp activity
social media

Third-party apps are tracking your WhatsApp activity

21 Sep 2020
Ransomwiz lets you test your security with simulated ransomware
ransomware

Ransomwiz lets you test your security with simulated ransomware

21 Sep 2020

Most Popular

Unilever adopts Google Cloud’s complex data processing for conservation drive
big data analytics

Unilever adopts Google Cloud’s complex data processing for conservation drive

22 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020