Hundreds of Thousands Still Using Breached Usernames and Passwords

When it comes to cybersecurity, it appears that some of us are slow to learn, according to a study released by Google.

The study shows some of the results of the Password Checkup extension for Chrome, which was released in Feb. 2019 and alerts users to the fact they are using one of over four billion usernames and passwords Google have identified as unsafe.

In the first month of use, 21 million usernames and passwords were scanned and 'only' 1.5% were deemed as unsafe. While this is an improvement on the 6.9% shown in a 2017 study, it still equates to 316,000. Alarmingly, if details were shown to be unsafe by the extension, only 26% of people reset them so they were more secure.

The study found that "users reused breached, unsafe credentials for some of their most sensitive financial, government, and email accounts. This risk was even more prevalent on shopping sites (where users may save credit card details), news, and entertainment sites. The risk of hijacking was highest for video streaming and adult sites, where (up to) 6.3% of logins relied on breached credentials."

The numbers were better for financial and government sites, where 0.2–0.3% of user logins were (already) breached details.

"Protecting accounts from credential stuffing attacks remains burdensome due to an asymmetry of knowledge," states the report. "Attackers have wide-scale access to billions of stolen usernames and passwords, while users and identity providers remain in the dark as to which accounts require remediation."

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.