Google has claimed victory against account hijackers, claiming the number of legitimate accounts compromised by spammers has dropped by 99.7 percent since 2011. The company's latest security protocols have been developed in response to a surge in account hijacking starting in 2010, as cyber criminals began using stolen passwords to distribute spam from legitimate accounts in an attempt to bypass ever strengthening spam filters, according to a blog post
from Google security engineer Mike Hearn.
"Because many people re-use the same password across different accounts, stolen passwords from one site are often valid on others," Hearn writes. "We've seen a single attacker using stolen passwords to attempt to break into a million different Google accounts every single day, for weeks at a time."
Rather than relying solely upon password verification, Google developed a risk-analysis system that considers more than 120 variables to flag unauthorized login attempts. In the simplest form, sign-ins can be found suspicious if they originate from another country. If a user is legitimately traveling and attempting to log in, Google will ask for additional information, such as a phone number or the answer to a security question, before providing access to the account.
Despite the alleged success of Google's protection system, the Hearn stresses that users should still create strong, unique passwords for their account, or step up to a two-step verification, as the best protection against unauthorized access.