How Google Fights Password Thieves

Photo: AP
Photo: AP

Google and researchers at the University of California, Berkeley, teamed up to study how Google accounts become compromised, shedding light on how the company finds new ways to fight back.


“The lifecycle of hijacking begins with password theft,” Google security engineer Grzegorz Milka said at the Enigma cybersecurity conference in Santa Clara, California, on Wednesday.

Hackers use several techniques to gather passwords, including scraping them from data breaches or collecting them with keyloggers, malware, and phishing schemes, Milka explained. In research conducted between May 2016 and May 2017, the company found 67 million valid Google account credentials on black markets. Google estimates that about 17 percent of its users re-use their passwords across accounts, leaving their accounts vulnerable if these passwords are exposed during a data breach at another company.

“With millions of stolen passwords out there, just accepting the password as is is risky at best,” Milka said. Ideally, users would enable two-factor authentication on their accounts to protect themselves against password theft. But not enough users choose to do so—Google estimates that less than 10 percent of its active users have two-factor authentication enabled. (Although that number is scarily low, it’s worth remembering that 10 percent of Google’s userbase still represents millions of people.)

Without the protection of two-factor authentication, Google needs to dive deeper into users’ email account data in order to secure their accounts.

At one point or another, you’ve probably received an email from Google warning that your account had been accessed from a new location, but hackers have caught on and will attempt to harvest an IP address or location data to spoof a natural-looking login from a place you frequent, Milka explained. Researchers found that 83 percent of the phishing kits aimed to steal not only credentials but location data as well.

Some phishing kits also attempted to harvest phone numbers—another data point that Google sometimes uses to help authenticate a login. Capturing phone numbers can be useful for hackers, even if a user has two-factor authentication enabled. In some targeted cases, hackers have convinced phone companies to transfer a victim’s number to a new SIM, allowing them to intercept two-factor authentication texts.


Google also looks at account activity for signs of malicious behavior. Attackers usually follow a common pattern, Milka said. They’ll often delete emails from Google alerting the user to a suspicious login, search the account for sensitive information such as nude photos or financial information, export the contacts for use in future scams, set up inbox filters to hide future warnings about the hack, and send more phishing messages from the user’s account before logging out. None of those actions are typical for most users, Milka said, and can help Google realize that an account takeover is underway.

Google will sometimes present login challenges to users who don’t enable two-factor authentication, asking them to provide a backup email or phone number in order to verify that they’re the real owner of the account. The company also uses tools like Safe Browsing to warn users about phishing links and offers an Advanced Protection Program for at-risk users to lock down their accounts.


“The question is, why wouldn’t we make two-factor authentication mandatory?” Milka asked. “The answer is usability. In the end, we want people to use their accounts. How many people would we drive out of using Google accounts if we force them to use additional security?”

Kate Conger is a senior reporter at Gizmodo.



Nice article and excellent moves. Google has data about how its users normally behave, enough that they can single out odd behavior.

I think stuff like attempting to delete a warning email without opening it is a prime example. The vast majority of us will actually open an email like that & read it. Delete without opening? Oh no, looks like you’re logged out & will have to re-enter your login.

These measures should come with “sensitivity” settings, in keeping with their (surprisingly not tone-deaf!) mission to give users choice. 

Coming from the company that took away Reader, Picasa, and gave us 63 messaging apps and tax evasion instead, it’s nice to see an actually context-aware move.