How Email Accounts Are Hijacked

The most devastating exploit that can happen to you is to have your email account hijacked.  We have spilled a lot of pixels on this subject (see below).  The reason we find this so dangerous is that it is that this is the attack most likely to happen to you.

Google recently released a study that analyzed how Gmail accounts are hijacked.  If you have an Android smartphone, you have a Gmail account.  And if it is not your primary email account, it probably has a short, weak password you no longer remember.

When an attacker hijacks your Gmail account, they have access to your Google universe, your smartphone, Google Drive, Google Apps, and if you are a web master, Google Analytics.  Here are some startling facts:

  • 1.9 billion stolen user credentials (user names and passwords) were traced to data breaches.  That number is very close to the number of Internet connected humans in the world.  So basically one for each of us.
  • 12.4 million can be traced to the work of phishing exploits
  • 788,000 were taken using keylogging malware.

Google finds the credentials stolen through phishing or keylogging to be more of a security issue than the much larger data breach trove.  This is because the information is often fresher, and also contains other interesting identity bits such as telephone number and geo-location information.  This information can be used to spoof your identity more completely in a wire transfer, tax refund, or invoicing fraud.

Since phishing is the most successful attack vector, the best thing you can do for yourself is to learn how to identify phishing emails to keep yourself from clicking on a malicious link or opening a malicious attachment (which is where keyloggers come from.)

We have provided links back to some of our other articles and series about account hijacking for your review.  If there is one new cybersecurity skill you learn this year, this would be the best one.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.