Google Says Hackers Steal Almost 250,000 Logins Each Week

Google is digging into the dark corners of the web to better secure people's accounts. From a report: For one year, Google researchers investigated the different ways hackers steal personal information and take over Google accounts. Google published its research, conducted between March 2016 and March 2017, on Thursday. Focusing exclusively on Google accounts and in partnership with the University of California, Berkeley, researchers created an automated system to scan public websites and criminal forums for stolen credentials. The group also investigated over 25,000 criminal hacking tools, which it received from undisclosed sources. Google said it is the first study taking a long term and comprehensive look at how criminals steal your data, and what tools are most popular. [...] Google researchers identified 788,000 potential victims of keylogging and 12.4 million potential victims of phishing. These types of attacks happen all the time. For example on average, the phishing tools Google studied collect 234,887 potentially valid login credentials, and the keylogging tools collected 14,879 credentials, each week.

Mod Parent Moron!

[Anonymous Coward]

"Rusty" is not a unit of measurement. I suggest that you repeat preschool!

units

[rossdee]

>"Rusty" is not a unit of measurement

In Soviet USA anything can be a unit of measurement

Except international standards like metre

BTW I also don't have an account with Google

Re:

[gnick]

I also don't have an account with Google

And I never signed up for Equifax, so I guess we're both good. Is it still called an "account" if it was created without your consent?

Always use a commercial VPN

[Anonymous Coward]

It is good security practice to always use a commercial (paid) VPN at all times, but especially when using public wifi to prevent incidents like that.

Private Internet Access, ExpressVPN and NordVPN are all industry leaders with great prices, easy to use and outstanding privacy policies.

Also use a password manager like KeePassX or LastPass so you can easily have unique, secure passwords for every login. And always enable Two Factor Authentication.

Re:

[pnutjam]

I'm a big proponent of VPN's, but how would that help with phising sites or key loggers? I guess some VPN's will filter known phising sites, but alot of browsers do that already.

Re:

[msmashfake2]

Quit being so critical. You don't like it? You go to Ars, son!

Account Service Aside

[Anonymous Coward]

These types of attacks will keep working partially based on Social Engineering as well as an already compromised system, such as a key logger.

Only a matter of time...

[uCallHimDrJ0NES]

...until they offer us the solution of total account security through total surveillance. They can then assure us that no one is using our accounts besides ourselves and every single paying Google customer, any one of whom can watch our individual surveillance feeds for a fee.

Ironic that this is preventable...

[ctilsie242]

Google has a good selection of 2FA tools, be it the app (which lets you tap "yes" on your phone), their authenticator, SMS fallback, etc. I'm surprised why more people are not enabling authentication. That way, a revealed password isn't the end of the world, although stealing auth tokens can be still a valid attack, but that is a lot harder to do than a passive keylogger.

Enabling?!?!

[Anonymous Coward]

Google has a good selection of 2FA tools, be it the app (which lets you tap "yes" on your phone), their authenticator, SMS fallback, etc. I'm surprised why more people are not enabling authentication. That way, a revealed password isn't the end of the world, although stealing auth tokens can be still a valid attack, but that is a lot harder to do than a passive keylogger.

If it's that good then why isn't it on by default?

Seriously, what the fuck is wrong with technology firms? They sell these consumer electronics items and leave them wide open?

What a bunch of morons - THEY are the morons!

And if "hackers" can break into Google, I guess those Google "engineers" aren't such hot shits after all.

No need for 2FA

[aberglas]

Just do not send passwords in the clear to the server. Kill phishing, which is the main issue. Use a nonce base hashing scheme instead.

TLS is almost worthless because it relies on the user to validate the URLs. Might as well not use it at all.

And the Secure Remote Password (SRP) algorithm has been around for a long, long time. It avoids offline John-the-ripper attacks.

The idea is that users only type in passwords in an area of the browser like the URL line which JavaScript cannot access.

Problem solved. On

Re:

[Anonymous Coward]

Because it's an email account, the chances it will be compromised are pretty low, but if the worst happens, I'll make a new account and call it a day.

Enabling any 2FA just causes more hoops to jump through and is a constant annoyance.

Sort of the same thing with my credit card website, sure I could enable 2FA and be annoyed every time I want to check charges. OR I could just use a slightly complex password, and if anything fishy happens dispute the charges.

Using 2FA has a constant overhead of annoyance

Re:

[Anonymous Coward]

Most accounts rely on your email account for any sort of password reset procedures, so if it is compromised it is much more likely your other accounts will end up compromised as well.

The barriers to use are low. You do not usually use it every time you go to the site, generally you use it the first time you log in from a new device or browser, or maybe once a month. If you have an Android device it can be set as a popup that you hit yes to. If you're using a time based authenticator, you can configure Lastp

No TOTP w/o expensive, insecure SMS

[tepples]

I'm surprised why more people are not enabling authentication.

It's in part because these providers insist on using SMS as the preferred second factor despite its disadvantages compared to U2F or TOTP. SMS has two problems:

SMS is expensive

Cellular carriers in Slashdot's home country charge 10 cents per received text message unless a subscriber pays hundreds of dollars per year for a cellular plan including unmetered text messaging. I doubt that most people would want to pay their cellular carrier 10 cents every time they check their email.

SMS is insecure

SMS messages ca

Re:

[Baron_Yam]

SMS has a big bonus though - it almost always goes to a device exclusively linked to you that you willingly carry around with you almost all the time.

In the game of social network data mining, giving someone your cell number and confirming the connection via SMS is like handing over your government ID while letting them scan your face, fingerprints, iris, retina, voice patterns, and gait.

It is easy to get rid of Phishing

[aberglas]

Just do not send the plain text password to the server. Use a nonce base hashing scheme instead.

TLS is almost worthless because it relies on the user to validate the URLs. Might as well not use it at all.

And the Secure Remote Password (SRP) algorithm has been around for a long, long time. It avoids offline John-the-ripper attacks.

The idea is that users only type in passwords in an area of the browser like the URL line which JavaScript cannot access.

Problem solved. Once and for all.

Unfortunately, neithe

What the article doesn't tell you

[rsilvergun]

is all the logins belonged to this guy [nbc.com]