Google along with researchers from University of California recently published a research paper titled “Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials” in an effort to better understand the risks of stolen credentials posed to billions of Internet users. The research is based on a dataset of 1.9 billion of stolen credentials obtained in various means such as crawling and manual collection. It found 7-25% of stolen credentials collected matched a Google account. The research insight helped save 67 million Google accounts.
Applying the research insights to its security protections prevented 67 million Google accounts from being abused.
CNN Money
As a cybersecurity firm focusing on helping enterprises and organizations address the stolen credentials issue, VeriClouds is very excited to see this report and its recognition of stolen credentials as a huge issue to Internet users. The VeriClouds R&D team dug deeper into the research and uncovered some interesting findings which were not told in media reports about this research. This blog article illustrates those findings.
Users do not activate 2FA, even after they recovered from hijacks
According to the research, only 3.1% of users enable second factor authentication after they regained control from their hijacked Google accounts. This result is consistent with previous studies about user security practices which found most users do not use 2FA or password managers albeit repeated advices from security professionals.
While experts commonly favor using two-factor authentication or password managers, these tools are virtually absent from the security posture of regular users.
The Google study
If the average Internet user do not choose to use 2FA, there are probably usability issues with these services.
Resetting passwords is an effective way to defend
Those Google users whose accounts were compromised were required to reset passwords to regain access to their accounts. The research found that password reset worked as an effective means of helping Google users avoid being compromised again. Specifically, only 2% of Google accounts were found to be hijacked again after the users successfully reset passwords.
Password resetting may be sufficient response to address account compromise.
The Google study
However, frequent password reset can be annoying to users and often result in weakened security. That’s why the latest NIST security guidelines suggest only force a password reset when concrete evidence of a credential compromise is found.
Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
NIST Digital Identity Guidelines
So if your company wants to protect your employees and/or users from stolen credentials, do not simply force them to reset passwords without a reason. You should first identify which accounts are affected by stolen credentials with a service such as CredVerify and then proceed with password resets based on the evidence. (See The Ease of Checking for Compromised Credentials)
90+% stolen credentials are not publicly crawlable
According to the research, Google’s crawling engine collected 123,055,067 stolen credential records (paste sites, search index, and public forums combined, shown in Figure 1) from the web while manual collection of credentials data from private forums not accessible by the crawler resulted in 1,799,553,568 records. In other words, 93.6% of records were collected from the deep or dark web where Google crawler cannot automatically touch.
Figure 1. Breakdown of the stolen credentials
This result is consistent with what VeriClouds and other threat intelligence companies observe, i.e., most stolen credentials circulate in deep and dark web sites such as dark web forums and tor encrypted sites, not on the surface web.
Figure 2
It’s great to see that Google has made great effort in securing the accounts of Google users against billions of stolen credentials every single day. However, an Internet user on average has around 150 online accounts. Most of those accounts today do not enjoy the protection that Google accounts have. As far as what mitigation is effective, simply deploying 2FA will not solve the problem because most users do not use it. Password reset turns out to be quite effective approach, if done properly. Lastly, 90+% of stolen credentials are not accessible to the public, but only circulate on the deep and dark web.