The study, “Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials,” was conducted in cooperation with the University of California, Berkeley, and the International Computer Science Institute from data gathered between March 2016 and March 2017.
Sampling more than 1.9 billion stolen usernames and passwords exposed by past data breaches at MySpace, LinkedIn, Dropbox and thousands of other digital sources, the findings warrant your attention. The upshot: breaches aren’t the culprit in the majority of account takeovers.
The study identified 788,000 potential victims of off-the-shelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches on a sampling from thousands of online sites and service providers.
These results are eye-opening because while the common response to data breaches tends to be panic, the actual threat is more active than passively via breach.
“We find victims of phishing are 400x more likely to be successfully hijacked compared to a random Google user. In comparison, this rate falls to 10x for data breach victims and roughly 40x for keylogger victims. This discrepancy results from phishing kits actively stealing risk profile information to impersonate a victim, with 83% of phishing kits collecting geolocations, 18% phone numbers, and 16% User-Agent data.”
The study demonstrates, “the necessity of a defense-in-depth approach to authenticating users.” For a not-so-quick read (it’s 14 pages), click here.