Google warns regarding credential stuffing attacks

Sharing is caring!

Google warns 1.5% of all passwords used across the web are vulnerable to credential stuffing attacks.

  • The study revealed that out of 21M credentials that were scanned using Password Checkup extension, approximately 1.5% (316,000 credentials) were already compromised in data breaches.
  • The study also determined that only 26% of the users who were notified about the compromised passwords executed password reset and only 60% of the new passwords are secure against credential stuffing attacks.

According to a recent study by Google, in data breaches, 1.5% of all login credentials have been compromised. They may also be vulnerable to credential stuffing attacks.

More details

Google has conducted the study based on the information collected from the users of their Password Checkup extension for Chrome. Password Checkup checks the login credentials against a database containing over 4B records.

Statistics collected during one month between February 5–March 4, 2019, revealed that Data breaches compromised approx. 1.5% (316k credentials) of 21M credentials.

These statistics show that only 26% of the users who were notified about the compromised passwords, executed password reset. Only 60% of the new passwords are secure against credential stuffing attacks.

“Nearly 670,000 users from around the world installed our extension over a period of February 5–March 4, 2019. In over 21 million logins 1.5% logins were detected vulnerable. That is due to relying on a breached credential—or one warning for every two users,” researchers said in the research paper.

In the first month of operation, almost 670,000 people participated in the service, logging in 21 million times. Of those logins, 1.5% involved breached credentials, the research found.

Report says…

People reused breached credentials on over 746,000 distinct domains, Google said. Video streaming and adult websites were most at risk of hijacking. Up to 6.3% of logins at those sites relied on breached credentials. Comparatively, only 0.3% of logins involved breached passwords at financial sites, and only 0.2% at government sites, the company said in a blog post yesterday. This could be because those sites had stricter password requirements. Unless your dog’s name happened to be “hs#s8d77sD^a, you couldn’t use it as your password, said the report.

The research found that users took steps to reset one in four (86%) of unsafe passwords flagged by the Password Checkup extension. Of the new passwords, 94% were as strong or stronger than the originals, and an encouraging 60% were strong enough to be secure against brute-force dictionary attacks, in which it would take an attacker over 100 million guesses to identify the new password.

Worth nothing

The research determined that users have often reused compromised passwords. That’s mostly on entertainment (6.3%), shopping (1.2%), news (1.9), email (0.5%), finance (0.3%), and government (0.2%) websites.

Finally, don’t forget to read the news faster than others with

Leave a Reply

Your email address will not be published. Required fields are marked *

one × 1 =