Google Study Finds Widespread Account Hijacking

Victims of account hacks are mad as hell but confused about how to respond.

Thomas Claburn, Editor at Large, Enterprise Mobility

February 5, 2014

4 Min Read

10 Famous Facebook Flops

10 Famous Facebook Flops


10 Famous Facebook Flops (Click image for larger view and slideshow.)

Online account hijackings seldom prove as destructive as the takeover of Wired writer Mat Honan's Apple ID, Google, and Twitter accounts in 2012, but they're surprisingly widespread and emotionally damaging, even when the meaningful harm is minimal.

About 30% of a group of 294 survey respondents reached through Amazon Mechanical Turk ("Turkers") reported having had at least one email or social networking account accessed by an unauthorized party, according to a study conducted by researchers from Carnegie Mellon University and Google.

The researchers also asked 1,501 respondents in an unrelated Google Consumer Survey (GCS) about whether they had ever had an account compromised. Some 15.6% said they had. The researchers said they can't explain the statistical differences but suggest the variation may be the result of differing motivations among the respondents.

"Turkers set out to complete a survey, while GCS participants are trying to get to premium web content," the researchers explained in their study.

[Have your browser settings gone amok? See Google Sounds Chrome Browser Hijack Alarm.]

The researchers said their findings are consistent with a Pew Research study published last year that found 21% of Internet users had experienced an account compromise.

The authors of the study -- Richard Shay, a CMU PhD candidate and former Google intern; Iulia Ion, a Google software engineer; Robert W. Reed, a Google user experience researcher; and Sunny Consolvo, a Google user experience researcher -- say five themes emerged from their effort to understand the impact of account hijackings.

First, they observed that compromised accounts are often valuable to their victims. This may seem obvious but it bears repeating. It's all too easy to dismiss the loss of a social media account as inconsequential if one doesn't participate in social media or if one views social media as a trivial, time-wasting exercise in vanity. As the researchers noted, these accounts tend to be used daily for personal communication, just like email accounts.

Second, the researchers said that while attackers tend to be unknown, that's not always the case. Among the 89 Amazon Mechanical Turk survey respondents who acknowledged an account break-in, 35 expressed at least moderate confidence about who broke into their accounts. Of these, 30 said they believed the attacker was someone they didn't know. Three said the attacker was someone they knew but didn't live with. And two said the attacker was someone they lived with.

Third, the study indicated that respondents largely acknowledge responsibility for their online security, even as they also often look to their service provider to share that responsibility. The researchers characterized this personal assumption of responsibility as a surprise given other research that suggests limited consumer interest in good security practices. They also saw it as a sign Internet users may be receptive to additional security measures like two-factor authentication, if these can be presented in an appealing way.

At the same time, the survey indicated that Internet users don't have a sufficient understanding of security measures to translate personal responsibility into effective action. The researchers said that while respondents demonstrated awareness of the likely sources of attacks -- malware, phishing, and data breaches -- they tended to select "Using a stronger password" and "Avoiding using the same password on different accounts" as defenses against account hijacking while ignoring counter-measures against malware and phishing. As the study points out, strong, unique passwords only mitigate brute-force cracking and password-reuse attacks; they don't offer protection against typing the password into a phishing site or password exposure through a breach.

Finally, the researchers found that while almost half of the survey respondents said no real harm had been done, all but seven survey takers expressed strong negative reactions like anger, fear, or embarrassment when asked how the account hijacking made them feel. As one respondent put it, "My religious aunt asked why I was trying to sell her Viagra."

The researchers concluded that software designers concerned with increasing the usage of security features should consider employing stories about the emotional consequences of account hijacking to reach those who might otherwise be insufficiently motivated to embrace available security options.

Mobile, cloud, and BYOD blur the lines between work and home, forcing IT to envision a new identity and access management strategy. Also in the The Future Of Identity issue of InformationWeek: Threats to smart grids are far worse than generally believed, but tools and resources are available to protect them. (Free registration required.)

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights