Account Takeovers Most Likely Caused By Phishing, Not Data Breaches

Account Takeovers Most Likely Caused By Phishing, Not Data Breaches

A recent Google study found that phishing exploits are far more likely to be the cause of account takeovers than the information compromised by data breach or malware.

The study, “Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials,” was conducted in cooperation with the University of California, Berkeley, and the International Computer Science Institute from data gathered between March 2016 and March 2017.

Sampling more than 1.9 billion stolen usernames and passwords exposed by past data breaches at MySpace, LinkedIn, Dropbox and thousands of other digital sources, the findings warrant your attention. The upshot: breaches aren’t the culprit in the majority of account takeovers.

The study identified 788,000 potential victims of off-the-shelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches on a sampling from thousands of online sites and service providers.

These results are eye-opening because while the common response to data breaches tends to be panic, the actual threat is more active than passively via breach.

“We find victims of phishing are 400x more likely to be successfully hijacked compared to a random Google user. In comparison, this rate falls to 10x for data breach victims and roughly 40x for keylogger victims. This discrepancy results from phishing kits actively stealing risk profile information to impersonate a victim, with 83% of phishing kits collecting geolocations, 18% phone numbers, and 16% User-Agent data.”

The study demonstrates, “the necessity of a defense-in-depth approach to authenticating users.” For a not-so-quick read (it’s 14 pages), click here.

About Adam Levin   |   Chairman and Founder   |   Cyberscout

Adam Levin Chairman and cofounder of and Adam’s experience as former director of the New Jersey Division of Consumer Affairs gives him unique insight into consumer privacy, legislation and financial advocacy. He is a nationally recognized expert on identity theft and credit. Have a question for our experts? Email them at