IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Google: 1.5% of all login attempts use compromised passwords

Report says popular sites like Netflix and a number of government portals are at risk of 'credential stuffing'

person entering passcode on smartphone

Figures from Google's recently released Password Checkup extension have revealed 1.5% of sign-in attempts are being made using details that have been compromised in data breaches.

Despite being regularly notified that their details have been leaked to hackers, a large proportion of users fail to change their passwords or deactivate accounts, according to the data.

Only 26% of users with compromised details changed their passwords after being notified by the extension, and just 60% of these changes were actually secure against brute force guessing.

The extension constantly monitors a user's login attempts and scans them against a database of 4 billion usernames and passwords known to have been involved in third-party data breaches.

Around 650,000 users participated in the experiment which saw 21 million login attempts scanned and analysed. Google said 316,000 of these logins used unsafe credentials, equating to roughly 1.5% of all attempts.

"Hijackers routinely attempt to sign in to sites across the web with every credential exposed by a third-party breach," said Google. "If you use strong, unique passwords for all your accounts, this risk disappears."

Using anonymous telemetry gathered from the extension, Google was able to determine the relative credential stuffing risk to the type of website used.

For example, the highest risk of successful credential stuffing attacks using compromised login details would be on popular entertainment sites such as Netflix, while the likes of government online portals and online banking platforms, although at a much lower risk, were still vulnerable to these types of attacks.

Credential stuffing is a crude method attackers use to break into people's accounts which involves taking stolen login details and spamming different sites with these details, often using automated programs, in the hope of gaining access to more potentially sensitive data.

It differs from brute force attacks which involve trying to guess passwords or other details in multiple login attempts on a string of sites.

Until now, the extension hasn't afforded users the right to opt-out of having their anonymised telemetry sent back to the company, however, Google has since made this an option.

"By design, the Password Checkup extension ensures that Google never learns your username or password, regardless of whether you enable telemetry, but we still want to provide this option if users would prefer not to share this information," said Google.

Featured Resources

Big data for finance

How to leverage big data analytics and AI in the finance sector

Free Download

Ten critical factors for cloud analytics success

Cloud-native, intelligent, and automated data management strategies to accelerate time to value and ROI

Free Download

Remove barriers and reconnect with your customers

The $260 billion dollar friction problem businesses don't know they have

Free Download

The future of work is already here. Now’s the time to secure it.

Robust security to protect and enable your business

Free Download

Most Popular

How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022
What your hybrid workforce needs from their laptops
Advertisement Feature

What your hybrid workforce needs from their laptops

21 Sep 2022
Why collaboration is key to digital transformation

Why collaboration is key to digital transformation

13 Sep 2022