How Email Accounts Are Hijacked

The most devastating exploit that can happen to you is to have your email account hijacked.  We have spilled a lot of pixels on this subject (see below).  The reason we find this so dangerous is that it is that this is the attack most likely to happen to you.

Google recently released a study that analyzed how Gmail accounts are hijacked.  If you have an Android smartphone, you have a Gmail account.  And if it is not your primary email account, it probably has a short, weak password you no longer remember.

When an attacker hijacks your Gmail account, they have access to your Google universe, your smartphone, Google Drive, Google Apps, and if you are a web master, Google Analytics.  Here are some startling facts:

  • 1.9 billion stolen user credentials (user names and passwords) were traced to data breaches.  That number is very close to the number of Internet connected humans in the world.  So basically one for each of us.
  • 12.4 million can be traced to the work of phishing exploits
  • 788,000 were taken using keylogging malware.

Google finds the credentials stolen through phishing or keylogging to be more of a security issue than the much larger data breach trove.  This is because the information is often fresher, and also contains other interesting identity bits such as telephone number and geo-location information.  This information can be used to spoof your identity more completely in a wire transfer, tax refund, or invoicing fraud.

Since phishing is the most successful attack vector, the best thing you can do for yourself is to learn how to identify phishing emails to keep yourself from clicking on a malicious link or opening a malicious attachment (which is where keyloggers come from.)

We have provided links back to some of our other articles and series about account hijacking for your review.  If there is one new cybersecurity skill you learn this year, this would be the best one.

More information:


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.