Even as web giants such as Google LLC implement increasingly sophisticated security safeguards to protect their users, account hijacking remains a major threat. In a bid to shed more light on the issue, the company on Thursday released a landmark study that breaks down hacker activity by the numbers.

The report is the fruit of a yearlong investigation that kicked off last March. In collaboration with researchers from the University of California at Berkeley, Google scoured websites frequented by hackers for stolen account credentials. The company uncovered 788,000 credentials that were obtained using keyloggers, 12.4 million stolen via phishing and a massive 1.9 billion records pilfered through data breaches.

Breach attempts against large corporate targets have proven to be a particularly big privacy risk. The hack at credit reporting giant Equifax Inc. that came to light in September by itself exposed information about 143 million consumers. Yet while such large-scale attacks certainly constitute a far-reaching issue, they somewhat surprisingly aren’t the biggest concern for users worried about their most important online accounts getting hijacked.

Instead, it’s phishing. Google’s study shows that people who fall victim to a phishing campaign, which involves sending messages that appear to be from a known company or person to elicit personal information, are 400 times more likely to have their account compromised than the typical Gmail user. Those impacted by a data breach are just 10 times more susceptible.

This disparity has to do with the type of information stolen during attacks. Hackers that manage to breach a large retailer, for example, may find credit card numbers but they probably wouldn’t come across too many Gmail passwords belonging to customers. Phishing campaigns, by contrast, are specifically designed to fool victims into giving up their account details.

That includes much more than just usernames and passwords. According to Google, hackers are increasingly going after secondary account details such as the user’s geographic location. This information can potentially be employed to bypass the protections that online services have in place to prevent the use of stolen login credentials.

Google’s report is not all doom and gloom, though. In a blog post, the search giant detailed that the hacker data uncovered through its investigation has been applied internally to improve user protections and secure 67 million vulnerable accounts before they could be compromised.  

Image: Pixabay