Cyber-thieves grab almost 250,000 valid log-in names and passwords for Google accounts every week, suggests research.
The study by Google and UC Berkeley looked at the ways email and other accounts get hijacked.
It used 12 months of log-in and account data found on websites and criminal forums or which had been harvested by hacking tools.
Google said the research helped secure accounts by showing how people fell victim to scammers and hackers.
During the 12 months studying the underground markets, the researchers identified more than 788,000 credentials stolen via keyloggers, 12 million grabbed via phishing and 1.9 billion from breaches at other companies.
Phishing involves attempts to trick people into handing over personal information and keyloggers are programs that record every key someone presses when using a computer.
The most useful information for cyber-thieves came from keyloggers and phishing attacks as these included valid passwords in 12%-25% of attacks, it found.
Phishing attacks posed the biggest risk to users as these helped malicious hackers scoop up about 234,000 valid names and passwords every week. By contrast, keyloggers only yielded about 15,000 valid credentials each week.
Cyber-attackers also sought to grab other information that could be useful in attacks, said the researchers.
Data about a person’s internet address (IP) as well as the device they were using and their physical location were all potentially useful for attackers seeking to defeat security checks.
Popular passwords found in data breaches include 123456, password, abc123, qwerty and111111 among others.
Gathering this data was much harder, found the research, with only 3.8% of people who had credentials leaked also giving away IP addresses and fewer than 0.001% surrendering detailed device information.
In a blog, Google said it would use the results of the research to refine the ways it spotted and blocked attempts to take over accounts. In particular it would enhance efforts to use historical data about where users logged in and the devices they used to thwart impersonation attacks. The company has a range of resources for people affected or looking to protect themselves.
However, the researchers acknowledged that the “multi-pronged problem” of account hijacking required efforts in lots of different areas.
It noted that only 3.1% of people who had an account hijacked subsequently started using improved security measures, such as two-factor authentication, after they regained control of a lost account.
Because of this, they said, educating users about better ways to protect accounts should become a “major initiative”.