How Email Accounts Are Hijacked

The most devastating exploit that can happen to you is to have your email account hijacked.  We have spilled a lot of pixels on this subject (see below).  The reason we find this so dangerous is that it is that this is the attack most likely to happen to you.

Google recently released a study that analyzed how Gmail accounts are hijacked.  If you have an Android smartphone, you have a Gmail account.  And if it is not your primary email account, it probably has a short, weak password you no longer remember.

When an attacker hijacks your Gmail account, they have access to your Google universe, your smartphone, Google Drive, Google Apps, and if you are a web master, Google Analytics.  Here are some startling facts:

  • 1.9 billion stolen user credentials (user names and passwords) were traced to data breaches.  That number is very close to the number of Internet connected humans in the world.  So basically one for each of us.
  • 12.4 million can be traced to the work of phishing exploits
  • 788,000 were taken using keylogging malware.

Google finds the credentials stolen through phishing or keylogging to be more of a security issue than the much larger data breach trove.  This is because the information is often fresher, and also contains other interesting identity bits such as telephone number and geo-location information.  This information can be used to spoof your identity more completely in a wire transfer, tax refund, or invoicing fraud.

Since phishing is the most successful attack vector, the best thing you can do for yourself is to learn how to identify phishing emails to keep yourself from clicking on a malicious link or opening a malicious attachment (which is where keyloggers come from.)

We have provided links back to some of our other articles and series about account hijacking for your review.  If there is one new cybersecurity skill you learn this year, this would be the best one.

More information:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.