Google Says Hackers Steal Almost 250,000 Logins Each Week (cnn.com)

← Back to Stories (view on slashdot.org)

Google Says Hackers Steal Almost 250,000 Logins Each Week (cnn.com)

Posted by msmash on Thursday November 9, 2017 @08:55AM from the user-behavior dept.

Google is digging into the dark corners of the web to better secure people's accounts. From a report: For one year, Google researchers investigated the different ways hackers steal personal information and take over Google accounts. Google published its research, conducted between March 2016 and March 2017, on Thursday. Focusing exclusively on Google accounts and in partnership with the University of California, Berkeley, researchers created an automated system to scan public websites and criminal forums for stolen credentials. The group also investigated over 25,000 criminal hacking tools, which it received from undisclosed sources. Google said it is the first study taking a long term and comprehensive look at how criminals steal your data, and what tools are most popular. [...] Google researchers identified 788,000 potential victims of keylogging and 12.4 million potential victims of phishing. These types of attacks happen all the time. For example on average, the phishing tools Google studied collect 234,887 potentially valid login credentials, and the keylogging tools collected 14,879 credentials, each week.

33 comments

Min score:

Reason:

Sort:

Gmail account hijacked in a hotel in Amsterdam by Anonymous Coward · 2017-11-09 09:01 · Score: 0

Networks matter.
Account Service Aside by Anonymous Coward · 2017-11-09 09:19 · Score: 1

These types of attacks will keep working partially based on Social Engineering as well as an already compromised system, such as a key logger.
Only a matter of time... by uCallHimDrJ0NES · 2017-11-09 09:24 · Score: 2

...until they offer us the solution of total account security through total surveillance. They can then assure us that no one is using our accounts besides ourselves and every single paying Google customer, any one of whom can watch our individual surveillance feeds for a fee.

--
Cloudiot: A person who does not see offsite storage as a way to lose control over access to his or her own data.
1. Re:Only a matter of time... by Anonymous Coward · 2017-11-09 10:23 · Score: 0
  
  Amen brother!
Mod Parent Moron! by Anonymous Coward · 2017-11-09 09:26 · Score: 1

"Rusty" is not a unit of measurement. I suggest that you repeat preschool!
Ironic that this is preventable... by ctilsie242 · 2017-11-09 09:29 · Score: 4, Insightful

Google has a good selection of 2FA tools, be it the app (which lets you tap "yes" on your phone), their authenticator, SMS fallback, etc. I'm surprised why more people are not enabling authentication. That way, a revealed password isn't the end of the world, although stealing auth tokens can be still a valid attack, but that is a lot harder to do than a passive keylogger.
1. Re:Ironic that this is preventable... by Anonymous Coward · 2017-11-09 09:44 · Score: 1
  
  Because it's an email account, the chances it will be compromised are pretty low, but if the worst happens, I'll make a new account and call it a day.
  Enabling any 2FA just causes more hoops to jump through and is a constant annoyance.
  Sort of the same thing with my credit card website, sure I could enable 2FA and be annoyed every time I want to check charges. OR I could just use a slightly complex password, and if anything fishy happens dispute the charges.
  Using 2FA has a constant overhead of annoyance and requires that I have the second-factor device handy.
  Using a mildly complex password has no overhead and worst-case I have to make a phone call.
2. Re:Ironic that this is preventable... by Anonymous Coward · 2017-11-09 10:13 · Score: 1
  
  Most accounts rely on your email account for any sort of password reset procedures, so if it is compromised it is much more likely your other accounts will end up compromised as well.
  The barriers to use are low. You do not usually use it every time you go to the site, generally you use it the first time you log in from a new device or browser, or maybe once a month. If you have an Android device it can be set as a popup that you hit yes to. If you're using a time based authenticator, you can configure Lastpass to send you a push notification that pops up on your phone in a similar way.
This is fake news by Idisagree · 2017-11-09 09:32 · Score: 0

Summary doesn't link to any proper citation that hackers are actually stealing 250k logins per week.
All I see is a hyperbolic CNN article and separately a google ad.
Sad!
Re:hackers did it! with hacks! while hacking! by msmash+(Top+Editor) · 2017-11-09 09:33 · Score: 3, Funny

Quit being so critical. You don't like it? You go to Ars, son!
Always use a commercial VPN by Anonymous Coward · 2017-11-09 09:38 · Score: 1

It is good security practice to always use a commercial (paid) VPN at all times, but especially when using public wifi to prevent incidents like that.
Private Internet Access, ExpressVPN and NordVPN are all industry leaders with great prices, easy to use and outstanding privacy policies.
Also use a password manager like KeePassX or LastPass so you can easily have unique, secure passwords for every login. And always enable Two Factor Authentication.
1. Re:Always use a commercial VPN by pnutjam · 2017-11-10 02:34 · Score: 1
  
  I'm a big proponent of VPN's, but how would that help with phising sites or key loggers? I guess some VPN's will filter known phising sites, but alot of browsers do that already.
  
  --
  Cheap storage VM.
Enabling?!?! by Anonymous Coward · 2017-11-09 09:38 · Score: 2

Google has a good selection of 2FA tools, be it the app (which lets you tap "yes" on your phone), their authenticator, SMS fallback, etc. I'm surprised why more people are not enabling authentication. That way, a revealed password isn't the end of the world, although stealing auth tokens can be still a valid attack, but that is a lot harder to do than a passive keylogger.
If it's that good then why isn't it on by default?
Seriously, what the fuck is wrong with technology firms? They sell these consumer electronics items and leave them wide open?
What a bunch of morons - THEY are the morons!
And if "hackers" can break into Google, I guess those Google "engineers" aren't such hot shits after all.
1. Re:Enabling?!?! by Anonymous Coward · 2017-11-09 09:47 · Score: 0
  
  They very well might be, when's the last time you created a new Google account?
  I know they suggest it as part of their security checkup, which they also suggest at some point or another (I'm sure I had a pop-up type of thing suggesting I use it).
2. Re:Enabling?!?! by Anonymous Coward · 2017-11-09 10:10 · Score: 0
  
  One of the google email authentication options is a passcode sent to your phone that you can type in along with your credentials. Of course, you would have to give up your number. It may of supported sending the code to an alternative email, but I forget at this point. You can set that to always be required to login or only required on a new device. I started with every time then lazed out and went to only on new devices.
  It's all optional I think but they put it right in your face to set it up, so really the user is at fault.
  Of course, the user typically is at fault. Even us pros do stupid stuff sometimes. Well, except me, I'm perfect :D It's how we learn but so many people can't be at fault for anything bad that may happen to them.
Re:hackers did it! with hacks! while hacking! by Anonymous Coward · 2017-11-09 10:10 · Score: 0

Says the newcomer younger than my shoes who's too busy feeling important (<blink>top editor</blink>) to even try.
units by rossdee · 2017-11-09 11:21 · Score: 0

>"Rusty" is not a unit of measurement
In Soviet USA anything can be a unit of measurement
Except international standards like metre
BTW I also don't have an account with Google
1. Re:units by gnick · 2017-11-10 02:01 · Score: 1
  
  I also don't have an account with Google
  And I never signed up for Equifax, so I guess we're both good. Is it still called an "account" if it was created without your consent?
  
  --
  He's getting rather old, but he's a good mouse.
2FA will NEVER be common by Anonymous Coward · 2017-11-09 11:44 · Score: 0

2FA is too damn inconvenient to be on by default. I, like most users, will absolutely not put up with any hassle like this to login. My password is in the password manager and I should never have to type it. Any login should thus be completely automatic, handled by the computer, and I will do everything I can to keep it that way. 2FA? NO WAY!
No TOTP w/o expensive, insecure SMS by tepples · 2017-11-09 11:49 · Score: 1

I'm surprised why more people are not enabling authentication.
It's in part because these providers insist on using SMS as the preferred second factor despite its disadvantages compared to U2F or TOTP. SMS has two problems:
SMS is expensive Cellular carriers in Slashdot's home country charge 10 cents per received text message unless a subscriber pays hundreds of dollars per year for a cellular plan including unmetered text messaging. I doubt that most people would want to pay their cellular carrier 10 cents every time they check their email. SMS is insecure SMS messages can be intercepted, such as by social engineering a replacement SIM out of the victim's carrier or by exploiting SS7 flaws. U.S. National Institute of Science and Technology has warned firms about this, but firms haven't been listening.
This wouldn't be a problem if services like Google, Twitter, and Steam offered a way to set up TOTP without first setting up SMS. But they don't. Google says "first you need to complete SMS/Voice setup", and the instructions for Twitter include "set up your personal account with the service on your phone" as part of the first step. Nor do they offer a way for someone who has set up TOTP to disable SMS without also disabling TOTP. Twitter in particular sends SMS on every 2-factor login attempt, in effect treating TOTP as a backup for SMS rather than vice versa.
1. Re:No TOTP w/o expensive, insecure SMS by Baron_Yam · 2017-11-10 01:37 · Score: 2
  
  SMS has a big bonus though - it almost always goes to a device exclusively linked to you that you willingly carry around with you almost all the time.
  In the game of social network data mining, giving someone your cell number and confirming the connection via SMS is like handing over your government ID while letting them scan your face, fingerprints, iris, retina, voice patterns, and gait.
Re: hackers did it! with hacks! while hacking! by Anonymous Coward · 2017-11-09 11:58 · Score: 0

Powwwwwww, got em.
It is easy to get rid of Phishing by aberglas · 2017-11-09 12:25 · Score: 1

Just do not send the plain text password to the server. Use a nonce base hashing scheme instead.
TLS is almost worthless because it relies on the user to validate the URLs. Might as well not use it at all.
And the Secure Remote Password (SRP) algorithm has been around for a long, long time. It avoids offline John-the-ripper attacks.
The idea is that users only type in passwords in an area of the browser like the URL line which JavaScript cannot access.
Problem solved. Once and for all.
Unfortunately, neither I nor anyone else can see how to make money out of plugging this hole, while there is plenty of money to be made by working around it. So I at least will not invest any time into it. Will you?
No need for 2FA by aberglas · 2017-11-09 12:27 · Score: 1

Just do not send passwords in the clear to the server. Kill phishing, which is the main issue. Use a nonce base hashing scheme instead.
TLS is almost worthless because it relies on the user to validate the URLs. Might as well not use it at all.
And the Secure Remote Password (SRP) algorithm has been around for a long, long time. It avoids offline John-the-ripper attacks.
The idea is that users only type in passwords in an area of the browser like the URL line which JavaScript cannot access.
Problem solved. Once and for all.
Unfortunately, neither I nor anyone else can see how to make money out of plugging this hole, while there is plenty of money to be made by working around it. So I at least will not invest any time into it. Will you?
What the article doesn't tell you by rsilvergun · 2017-11-09 12:32 · Score: 1

is all the logins belonged to this guy

--
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
This is great post by LouisRobinson143 · 2017-11-09 18:11 · Score: 0

This is great post and i am happy to find this informative topic shared here. looking forward for more information..
Goolge: Disable gmail acount linking by Anonymous Coward · 2017-11-09 18:40 · Score: 0

I get multiple emails every year from someone trying to "hack" my gmail account by linking it to their own. If I click and say "Yes", they win.
Why can't I just turn this off so that it is never a risk?
Or Google, get rid of this feature?
Re: RUSSIANS ! by Anonymous Coward · 2017-11-10 00:00 · Score: 0

And were modded down for it. You should know better than to say RUSSIANS ! round these here parts because everyone knows they only exist in the minds of SJW leftist homosexuals.
Obviously, Russia is involved up to its eyeballs!! by Anonymous Coward · 2017-11-10 04:11 · Score: 0

Just thought I'd get the party started...