Google says account takeovers are down more than 99 percent

Share this article:

Google is crediting enhanced risk analysis efforts with lowering the number of compromised user accounts by nearly 100 percent over two years, the company announced Tuesday.

Mike Hearn, a Google security engineer, said in a blog post that new security measures, in which login attempts to accounts such as Gmail are tested against 120 variables to ensure a person is who they say they are, have reduced hijackings by 99.7 percent since a peak in 2011.

"If a sign-in is deemed suspicious or risky for some reason – maybe it's coming from a country oceans away from your last sign-in – we ask some simple questions about your account," Hearn wrote. "For example, we may ask for the phone number associated with your account, or for the answer to your security question. These questions are normally hard for a hijacker to solve, but are easy for the real owner." 

Spammers and others who seek access to accounts that aren't theirs use varying ways to do it. But Hearn pinned a brunt of the blame on hackers who have compromised websites to steal usernames and passwords. Oftentimes, web users employ the same credentials across their online accounts. So if a miscreant steals someone's login information from, for example, LinkedIn, those same credentials might work to access Gmail.

And once in their possession, attackers use automated methods to try and crack victims' accounts.

"We've seen a single attacker using stolen passwords to attempt to break into a million different Google accounts every single day, for weeks at a time," wrote Hearn, who added that users should also consider using two-factor authentication as an additional protection method.

Still, the news from Google wasn't met with all praise, with some questioning the privacy ramifications of a single company knowing so much about its users.

"The flip side of Google account hijackings being down 99 percent is that Google's ability to correlate and pinpoint you is up 99 percent," Melissa Elliott, a computer security researcher, tweeted on Wednesday. "I'm not saying that's good or bad. Just that the reality is that you have to take extreme steps to be truly anonymous online."
Share this article:

Sign up to our newsletters

More in News

Pentagon to triple its security workforce by 2016

Pentagon to triple its security workforce by 2016

Defense Secretary Chuck Hagel recently announced the recruitment efforts during a speech in Fort Meade, Md.

Tech manufacturer's online payment system breached

LaCie confirmed an unauthorized party used malware to access its online payment system for almost a year and could have stolen customer information.

The Heartbleed bug works, and could be a scapegoat for older breaches

The Heartbleed bug works, and could be a ...

Researchers proved the Heartbleed bug was real in a challenge issued by CloudFlare to prove private keys can be stolen, right around the time companies are claiming they were breached ...