Google warns 1.5% of all passwords used across the web are vulnerable to credential stuffing attacks

• The study revealed that out of 21 million credentials that were scanned using Password Checkup extension, approximately 1.5% (316,000 credentials) were already compromised in data breaches.
• The study also determined that only 26% of the users who were notified about the compromised passwords executed password reset and only 60% of the new passwords are secure against credential stuffing attacks.

A recent study published by Google estimates that 1.5% of all login credentials used across the web have been compromised in data breaches and are vulnerable to credential stuffing attacks.

More details on the study

Google has conducted the study based on the information collected from the users of their Password Checkup extension for Chrome. Password Checkup checks the login credentials entered by users against a database containing over 4 billion records that were leaked in previous data breaches.

Statistics collected during a period of one month between February 5–March 4, 2019, revealed that out of 21 million credentials that were scanned, approximately 1.5% (316,000 credentials) were already compromised in data breaches.

These statistics show that only 26% of the users who were notified about the compromised passwords, executed password reset and only 60% of the new passwords are secure against credential stuffing attacks.

“Nearly 670,000 users from around the world installed our extension over a period of February 5–March 4, 2019. During this measurement window, we detected that 1.5% of over 21 million logins were vulnerable due to relying on a breached credential—or one warning for every two users,” researchers said in the research paper.

Worth noting

The research determined that users have often reused compromised passwords on entertainment (6.3%), shopping (1.2%), news (1.9), email (0.5%), finance (0.3%), and government (0.2%) websites.

“Based on anonymous telemetry reported by the Password Checkup extension, we found that users reused breached, unsafe credentials for some of their most sensitive financial, government, and email accounts. This risk was even more prevalent on shopping sites (where users may save credit card details), news, and entertainment sites,” researchers said in a blog.