When teaching password creation strategies, we often emphasize the importance of email accounts. Email is the key to your online identity because it’s used when creating other online accounts. Therefore, it’s extremely problematic if an unauthorized person accesses your email.

Users should protect their email account with a unique, strong password and enable an additional login step if possible.

A joint study by Google, the University of California, Berkeley, and the International Computer Science Institute shed some light on the risk of stolen credentials. The study took place over the course of a year (March 2016-March 2017) and the results were published in the paper Data Breaches, Phishing or Malware? Understanding the Risks of Stolen Credentials.

The study looked at three sources of account takeovers: data breaches, phishing kits, and keylogger malware. Data breaches that leaked credentials and phishing attacks mostly affected victims in the U.S. and Europe, whereas keylogger malware mostly affected victims in other parts of the world such as the Philippines, Turkey, Iran, and Malaysia.

Google researchers wanted to understand credential compromise in order to build better defenses for Google accounts. What’s interesting is that phishing attacks don’t just steal usernames and logins–they also steal details about the browser or device used (such as iPhone vs. Android) and geolocation. As online services are fighting back against account compromise, they are creating user profiles with device and login location to support the detection of suspicious logins. If phishers gather this data as well, they have greater success accessing a victim’s email account because they can better impersonate the user.

What do attackers do with the email account? According to the study, three things: search for financial information to commit fraud, access other accounts (such as through resetting passwords), and spread spam.

We were encouraged to see that researchers concluded that the best ways to protect online accounts includes enabling two-factor authentication (an additional login step) and using a password manager to autofill passwords into recognized websites. These two steps will lessen the risk of stolen credentials from phishing and third-party data breaches. As for keylogger malware, use best practices for computer security such as running anti-malware software and using good judgement when clicking links and downloading software from the internet.