Google Says That 300K People Still Use Hacked Passwords

Google, Study, Hackers, Passwords

Over 300,000 people who were compromised online are still using logins that were hacked, according to a new Google study unveiled at the USENIX Security Symposium in Santa Clara, California this week.

The Next Web reported on Friday (Aug. 16) that Google discovered the information from its recently-released Chrome Password Checkup. 

“We scanned 21 million usernames and passwords and flagged over 316,000 as unsafe — 1.5 percent of sign-ins scanned by the extension,” Google said. “By alerting users to this breach status, 26 percent of our warnings resulted in users migrating to a new password. Of these new passwords, 94 percent were at least as strong as the original.”

But users disregarded 25.7 percent or 81,368 of all breach warnings, the study found.

The study “Protecting accounts from credential stuffing with password breach alerting” said data was sourced from 670,000 users from Feb. 5 through March 4, 2019.

Anonymous telemetry data culled from the extension has provided Google with information on how widespread the practice of account hijacking and non-unique passwords really is. 

The study found that while users often remember to change passwords for major sites, they’re two and a half times more likely to reuse vulnerable passwords everywhere else, opening them to account hijacking threats. 

The risk of hijacking was highest for video streaming and porn websites, where 3.6 to 6.3 percent of logins relied on breached credentials, the study said.

Although there are breach alerting services, they have privacy tradeoffs. Google wants a “new privacy-preserving protocol that allows a client to learn whether their username and password appears in a breach without revealing the information queried,” the report said.

The Password Checkup extension uses a new cryptographic protocol, Private Set Intersection (PSI) that matches login information against an encrypted data set of 4 billion credentials leaked in previous data breaches still keeping the details private to the user.

Google is ultimately looking to get rid of passwords altogether. In its latest advance, Google is enabling users with Pixel phones to log into some of the search giant’s services through the Chrome browser with biometrics, such as fingerprints.