Google is digging into the dark corners of the web to better secure people’s accounts.
Looking at cybercriminal black markets and public forums, the company found millions of usernames and passwords stolen directly through hacking. It also uncovered billions usernames and passwords indirectly exposed in third-party data breaches.
For one year, Google researchers investigated the different ways hackers steal personal information and take over Google () accounts. Google published its research, conducted between March 2016 and March 2017, on Thursday.
Focusing exclusively on Google accounts and in partnership with the University of California, Berkeley, researchers created an automated system to scan public websites and criminal forums for stolen credentials. The group also investigated over 25,000 criminal hacking tools, which it received from undisclosed sources.
Google said it is the first study taking a long term and comprehensive look at how criminals steal your data, and what tools are most popular.
“One of the interesting things [we found] was the sheer scale of information on individuals that’s out there and accessible to hijackers,” Kurt Thomas, security researcher at Google told CNN Tech.
Even if someone has no malicious hacking experience, he or she could find all the tools they need on criminal hacker forums.
Data breaches, such as the recent Equifax hack, are the most common ways hackers can get your data. In one year, researchers found 1.9 billion usernames and passwords exposed by breaches. The company continued to study this through September 2017 and found a total of 3.3 billion credentials.
But digital criminals can be much more proactive in stealing your information. Two popular methods are phishing, which is posing as a trustworthy person or entity to trick you into giving up your information; and keylogging, or recording what you type on your computer.
Google researchers identified 788,000 potential victims of keylogging and 12.4 million potential victims of phishing. These types of attacks happen all the time. For example on average, the phishing tools Google studied collect 234,887 potentially valid login credentials, and the keylogging tools collected 14,879 credentials, each week.
Because passwords are not often enough to access online accounts, cyber criminals are trying to collect other data, too. Researchers found that some phishers try and siphon location, phone numbers, or other sensitive data while stealing login credentials. Mark Risher, director of product management at Google, said this was one of the study’s key findings.
Google can automatically recognize when you’re logging in from somewhere unusual — if the company sees you attempting to login from Russia when you usually login from California, Google will ask to verify it’s you. As a result, Google has tightened the location radius around what it considers to be usual login areas.
Google has also implemented additional layers of email security on its official Gmail app. The company said that applying the research insights to its security protections prevented 67 million Google accounts from being abused.
Last month, the company launched a handful of tools for people to further protect themselves, including a personalized account security checkup, new phishing warnings, and the Advanced Protection Program for Google’s most at-risk users.
Although experts have suggested using multi-factor authentication (a layer of security in addition to your password) for a long time, public adoption lags behind. According to recent data from Duo Security, most Americans don’t implement the extra layer of protection.
But that might be changing. Risher said Google is seeing more people adopt less convenient options in order to keep themselves safe. For example, Google said Amazon sold out of the Advanced Protection Program kits soon after they launched. The kit contains two physical security keys a person would be required to have in order to access to their account.
Google said it is sharing its latest findings so other companies can also implement better protections to guard against account hijacking.
“We talk a lot about how airlines don’t compete over which one crashes more frequently,” Risher said. “Likewise, we don’t think security is something to keep to ourselves.”