What's more dangerous: a data breach, a keylogger on your PC, or a phishing attack?
All three can let hackers uncover your password information. But according to Google, phishing attacks are far and above the more serious threat when it comes to account hijacking.
The findings were made in a year-long study from Google and researchers at the University of California, Berkeley that looked at the root causes behind account takeovers.
The study analyzed a dataset of stolen user account information traded on black markets and taken from hacking tools that can log keystrokes or generate phishing emails.
Picking apart real stolen data
The sample data itself was massive. It included 1.9 billion stolen usernames and passwords exposed by past data breaches at MySpace, LinkedIn, Dropbox and other third-party online services.
In addition, were 12 million stolen credentials taken from phishing attacks, and another 788,000 obtained from keyloggers.
The study then dove into the sample data, looking for actual Google users affected and if any of the stolen password information still worked.
Unfortunately, the answer was yes. For victims of the phishing attacks, 25 percent of the passwords remained valid.
Only 12 percent of the passwords were valid for the keylogging victims, and 7 percent for victims of data breaches.
That's not a complete surprise. Phishing attacks are specifically designed to trick users into giving up their login credentials and other sensitive information. They do so, usually by masquerading as an email from a legitimate service that'll ask for your password. Hackers can deploy them through "phishing kits" that can be found on the digital black market and will automate the attack process.
The study from Google also tried to quantify the risks with each form of password exposure.
"We find that once a user's valid credentials are exposed to a phishing kit, the likelihood they become compromised is over 400x more than a random user," the study said.
For victims of keyloggers, the hijacking odds are only forty times more. For data breach victims, it's even lower at ten times more.
Nevertheless, data breaches can still be a serious problem, which the study underscored.
How data breaches can affect your Google account
The sample data compromised of 1.9 billion stolen credentials taken from third-party data breaches, none of which originated from any Google hack.
But because people like to reuse passwords between different online accounts, the third-party data breaches still affected some Google users.
In scanning the sample data, the company found 51 million Google accounts that had their password information exposed in the breaches because of password reuse. That's a huge number and goes to show why you should register important online accounts with unique, hard-to-crack passwords.
The good news is that data breaches tend to only contain username and password information, which is sometimes not enough to break into an account. For instance, Google has protections in place to also analyze where a login takes place and from what device. Any deviations found can prompt Google to verify your identity.
Attacks from phishing kits, on the other hand, can be designed to extract more detailed information from their victims, including geo-location data, the login device, and even account recovery questions.
"Our findings indicate that while credential leaks may expose the largest number of passwords, phishing kits and keyloggers provide more flexibility to adapt to new account protections," the study said.
Google has forced a password reset for the company users found in the sample datasets. If you're worried about hackers, Google has options like two-factor authentication and a new "Advanced Protection Program" that can offer extra security around your account.