Internet data breaches threaten the usernames and passwords of billions of people, but bad actors find phishing is the most effective way to hijack their victims' online identities, according to researchers at Google and the University of California-Berkeley.

In a year-long study of online black markets, the researchers found that 25 percent of phishing victims were at risk of a Google email account takeover after their credentials were exposed, compared to 7 percent of victims of third-party data breaches and 12 percent of keylogger victims. Google said it has used those findings to secure the accounts of victims whose data was being marketed online, and to strengthen security measures for its users in general.

Google added that it has publishing details of its research to encourage other online services to take similar steps to boost their authentication systems with "more protections beyond just passwords." It also advised users of Google services to visit its Security Checkup site to ensure their defenses are up to date.

400x More Likely To Be Hijacked

Between March 2016 and March 2017, the Google/University of California-Berkeley research team monitored online black markets to understand how stolen credentials make their way into the hands of hackers and identity hijackers. During that time period, they identified 788,000 potential victims of keylogging, 12.4 million potential victims of phishing, and 1.9 billion usernames and passwords exposed via third-party data breaches.

"We find that the risk of a full email takeover depends significantly on how attackers first acquire a victim's (re-used) credentials," the researchers wrote in a study that was presented at last week's Association for Computing Machinery's Computer and Communications Security conference in Dallas. "We find victims of phishing are 400x more likely to be successfully hijacked compared to a random Google user. In comparison, this rate falls to 10x for data breach victims and roughly 40x for keylogger victims."

Keylogging uses malicious software installed on an infected device to record user keystrokes, enabling bad actors to access others' login credentials.

The researchers said their study also showed how stronger login security systems can help reduce threats to users' online credentials and identities. "Our findings illustrate the global reach of the underground economy surrounding credential theft and the need to educate users about password managers and unphishable two-factor authentication as a potential solution," they noted.

15% of Online Users Have Been Victims

In 2014, Google research found that more than 15 percent of online users have had their email or social networking accounts hijacked by malicious actors. The new study was aimed at better understanding the root causes of hijacking, Google said in a blog post published Thursday.

"What we learned from the research proved to be immediately useful," Google's Kurt Thomas and Angelika Moscicki wrote in the post. "We applied its insights to our existing protections and secured 67 million Google accounts before they were abused. We're sharing this information publicly so that other online services can better secure their users, and can also supplement their authentication systems with more protections beyond just passwords."

In a similar move last week, Amazon said it was adding new encryption and security features to its S3 cloud storage service to reduce the risks of stored data leaking onto the Internet. The new features include default encryption, permission checks, support for cross-region replication of objects, support for object replicaton with Amazon's Key Management Service, and detailed inventory reporting.

Those protections are aimed at security issues that "aren't really caused by the cloud providers themselves, but by the [organizations] using them -- failing to do everything in their power to ensure that the web 'bucket' they are pouring data into has been properly configured," U.K. security writer Graham Cluley wrote yesterday. "In short, it should be harder than before for companies to leave their data lying around for anyone surfing the Internet to scoop up, and simpler for them to have put basic security in place."