Skip to content
Naked Security Naked Security

Google study reveals how criminals break into Gmail accounts

The researchers' conclusion? Password-based authentication is dead in the water

Google, it’s fair to say, is no fan of relying on passwords to secure online accounts.

Reading the recent study the company commissioned on the causes of online account takeover from the University of California, Berkeley, it’s not hard to understand why.

The year-long analysis to March 2017 mostly confirms a lot of bad news that security experts could have guessed, starting with the staggering haul of stolen credentials, covering a wide range of online services, that appear to be circulating on the dark web.

After crawling blackhat forums and paste sites, 1.9 billion credentials were traced to data breaches, 12.4 million to the work of phishing kits, and 788,000 were stolen by keyloggers.

Based on the 751,000 Gmail users within this data, the company was able to work out that for its users phishing attacks are by far the most dangerous of the three:

We find that the risk of a full email takeover depends significantly on how attackers first acquire a victim’s (re-used) credentials. Using Google as a case study, we observe only 7% of victims in third party data breaches have their current Google password exposed, compared to 12% of keylogger victims and 25% of phishing victims.

But just having the password and user name (which can be changed) isn’t the whole explanation for the different success rates. It turns out that phishing attacks and keyloggers are further boosted by their tendency to grab data such as telephone numbers, geo-location data and IP addresses.

This makes it much harder for a company such as Google to detect rogue activity simply by looking at where someone appears to be logging in from, say, because this can be spoofed.

The warning:

While credential leaks may expose the largest number of passwords, phishing kits and keyloggers provide more flexibility to adapt to new account protections.

Which brings us back to the perennial angst of passwords.

The study confirmed that large numbers of passwords (including large numbers of terrible ones that appeared to have been poorly stored) are re-used, which means that someone breached in one service has often put multiple accounts at risk.

The researchers’ conclusion is that password-based authentication is dead in the water. Credentials are simply too easy to steal while users don’t make much effort to secure them. No amount of tinkering can save this model.

Enabling multi-factor authentication (MFA) would mitigate much of this, particularly phishing attacks, credential leaks and, to some extent, keylogging. And yet only a minority use it, even after they’ve been the victim of an attack:

Our own results indicate that less than 3.1% who fall victim to hijacking subsequently enable any form of two-factor authentication after recovering their account.

This suggests that people have either not heard of MFA, don’t know how to enable it or really don’t like it.

It makes you wonder why Google doesn’t simply make MFA mandatory and just get on with migrating people for their own good, as Apple appears to want to do.

An intriguing possibility is that companies such as Google might more regularly trawl the dark web for accounts that have been breached, resetting them as they are spotted.

Facebook are already known to do this and Google did it for every compromised Gmail account the researchers uncovered in this study, so it’s not far-fetched that this could happen in future.

Naked Security has written several times on the importance of MFA (including for Gmail) which we’d implore anyone not using it to read and act on.

Google also recently launched something called the Advanced Protection Program (APP) for Gmail users who see themselves as being at high risk of phishing attacks.


Do not own a mobile device and am not always at my land line. So how do you propose to do this? Perhaps an alternate email?
Or will I need to have a Google/Apple/Microsoft id chip implanted in my forehead so they can recognize me>


Google supports U2F hardware tokens which can be bought cheaply, although to be honest I’d buy a mobile instead. Although I work in computer security so I have more U2F keys than I need.


You could buy a cheap handheld computer as a dedicated 2FA device. (If you add a SIM card later on then you could upgrade this portable device to a mobile phone, but there’s no need to do so if you don’t want to. I have several old mobile phones and tablets loafing around that I use without SIM cards – one for sofa-browsing, and another I use as an alarm clock. Either or both would make satisfactory 2FA token code generator devices.)


Google (and I presume, others too) also supports “backup codes”, specifically designed to let you in when your regular access methods aren’t an option.


You can print out backup codes on paper and keep them in your wallet. You get 10 codes at a time but can generate new onews when you need them.


Would you believe, not everyone who uses the Internet has a cell phone? What other MFA would you force on someone in order to access Google?


Maybe that’s why the lowly password is still an option; they’re reluctant to lose user base.

Of course the intent behind 100% httpS is also a good one, and they’re still on board with that–despite the scrambling it’s brought some admins.

Maybe Spryte’s RFID forehead chip (RFFHID?) is the way to go. :,)


For the 99% of internet users who do have a mobile phone, they’re a great way to get into the habit of 2FA. If you’re in the group of one-percenters, you’ll have to find another way, e.g. buy a cheap phone *only* for 2FA calculations (not for network access or phone calls), get a Yubikey, or be a 2FA refusenik.


[of data breaches, phishing kits, keyloggers]
phishing attacks are by far the most dangerous of the three, accounting for 25% of exposed current passwords.

Are there other significant causes of compromised credentials? I don’t doubt phishing’s ominous potential, but if the “most” of three anythings isn’t 33%…


I must have had my dark glasses on when I edited that, thanks. See the newly-added quote for the proper form of words.


The security and replaceability-when-compromised of a SIM card is pretty well established. A similarly encrypted and authenticated chip in the physical form of a memory stick with regular USB-A on one end and micro-USB on the other would serve as a portable second factor that doesn’t rely on a cellular connection.

You wouldn’t leave your house without your house key. So put this on your key chain and carry it with you. Plug it into your tablet or desktop or laptop at home and into your tablet or cellphone on the road. If it’s lost or stolen, call the issuing authority and get a new one assigned. In the interim you have some security from the first factor.


Having MFA on accounts will hopefully become the norm, and I feel for the folk who cannot use a mobile phone for an easy 2nd factor.. There are other options in terms of physical devices (like dongles, or apps like Google’s Security Key which emulate a dongle) which can function as a secondary physical factor of authentication. I know that means you need a phone, but it will run without a mobile phone plan. I think it also has a Chrome plug-in?
Please keep raving about MFA Sophos guys, its critical.


It seems that we have to accept that life is getting inconvenient to the point of impossibility.

My credit card company now wants to verify transactions by sending a message to my phone (even though the number they had was a landline which could not accept messages!). So I had to give them my mobile number. Now my mobile cannot live in the same pocket as my credit card * because if a pickpocket gets into that pocket they will probably get both and when a transaction has to be verified all they have to do is press “Y” on my mobile.

So I need a more secure mobile. Presumably that should have TFA on its login requiring me to open an email to get a code to enter on my “smart” phone to unlock it. I think I see a problem.

* I already keep my driving licence (with my address on it) in a separate pocket from my credit card for similar reasons. And my house keys naturally cannot be in the same pocket as anything with my address on it! I am running out of pockets!

How far are we from having to be compulsorily chipped if we wish to do anything. And if so who exactly “owns” our ID?


Yes, it’s definitely a good idea to get a phone with a decent lockcode capability. (I still have an old-school phone – the ones that weigh 65 grams, have a battery that lasts two weeks, and let you MAKE PHONE CALLS with excellent voice quality – but I simply can’t bring myself to trust its firmware programming enough to imagine that the lock code would keep anyone out for more than a minute. Which is a pity, because it would make a great 2FA tokem, given that it weighs 65 grams and has a battery that lasts two weeks.)


For those who DO have a cell phone, is it feasible to use a secure messaging app such as WhatsApp, instead of a phone call or SMS, to send the 2FA code? When I’m overseas, I’m using a foreign SIM and can’t receive a phone call or SMS sent to my USA phone number, but I still get messages through WhatsApp even though it uses my USA phone number.


So I use a password manager and generate complex passwords like
which will NEVER be in any rainbow table, and I am totally at ease even if a website has its hashed passwords stolen (MD5 SHAx Salted or not).
I wouldn't even bother to change my password.
As I spoof my browser metatags with "random agent spoofer", Google always asks me
"Answer your security question" which is kinda like 2FA.
None of this helps with phishing attacks, but common sense and double checking the address URL should be routine.


I do not currently use 2FA for any of my accounts. I have many email accounts that all download every few minutes with no intervention. The credentials are stored in the clients I use. I also download financial information from several bank and brokerage accounts with one click in Quicken. All of these apps would have to play seamlessly with any enhanced security system to motivate me to use it. Something similar to Google Authenticator that could be automatically queried by all the software I use that automatically downloads things could work, but until that exists, I will resist 2FA because it’s annoying, and I don’t like being annoyed.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!