Vulnerability Management

Google says account takeovers are down more than 99 percent

Google is crediting enhanced risk analysis efforts with lowering the number of compromised user accounts by nearly 100 percent over two years, the company announced Tuesday.

Mike Hearn, a Google security engineer, said in a blog post that new security measures, in which login attempts to accounts such as Gmail are tested against 120 variables to ensure a person is who they say they are, have reduced hijackings by 99.7 percent since a peak in 2011.

"If a sign-in is deemed suspicious or risky for some reason – maybe it's coming from a country oceans away from your last sign-in – we ask some simple questions about your account," Hearn wrote. "For example, we may ask for the phone number associated with your account, or for the answer to your security question. These questions are normally hard for a hijacker to solve, but are easy for the real owner." 

Spammers and others who seek access to accounts that aren't theirs use varying ways to do it. But Hearn pinned a brunt of the blame on hackers who have compromised websites to steal usernames and passwords. Oftentimes, web users employ the same credentials across their online accounts. So if a miscreant steals someone's login information from, for example, LinkedIn, those same credentials might work to access Gmail.

And once in their possession, attackers use automated methods to try and crack victims' accounts.

"We've seen a single attacker using stolen passwords to attempt to break into a million different Google accounts every single day, for weeks at a time," wrote Hearn, who added that users should also consider using two-factor authentication as an additional protection method.

Still, the news from Google wasn't met with all praise, with some questioning the privacy ramifications of a single company knowing so much about its users.

"The flip side of Google account hijackings being down 99 percent is that Google's ability to correlate and pinpoint you is up 99 percent," Melissa Elliott, a computer security researcher, tweeted on Wednesday. "I'm not saying that's good or bad. Just that the reality is that you have to take extreme steps to be truly anonymous online."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.