A study released by Google estimates that 1.5% of all logins used across the web are vulnerable to credential stuffing attacks due to being disclosed in data breaches. This number is based off of anonymous login data provided to Google through their Password Checkup extension.
To conduct this study, Google created a breach notification service and an associated Chrome Password Checkup browser extension that collects anonymous data and hashed logins. When a user logs into a site with the extension installed, the anonymous hash of the login credentials is sent back to Google and checked against 4 billion usernames and passwords that were leaked in data breaches.
If a match was found, a notification like the one below would be shown that warns the user and prompts them to change their password.
Using anonymous statistics collected during a period of one month between February 5–March 4, 2019, Google found that 1.5% of the 21,177,237 monitored logins were found in data breaches. This came out to 316,531 logins for the approximately 670,000 users who installed the Password Checkup extension.
Of those users who were notified, only 26% of the warnings resulted in a password change. Of these password changes, though, 60% resulted in the user changing to a more secure password than their original one.
“Nearly 670,000 users from around the world installed our extension over a period of February 5–March 4, 2019. During this measurement window, we detected that 1.5% of over 21 million logins were vulnerable due to relying on a breached credential—or one warning for every two users. By alerting users to this breach status, 26% of our warnings resulted in users migrating to a new password. Of these new passwords, 94% were at least as strong as the original.”
The category of sites that created the largest amount of warnings were adult sites and entertainment sites, like video streaming sites. Adult sites had a warning rate of 3.6%, while entertainment sites had a rate of 6.3%.
As compromised login credentials could be used in credential stuffing attacks, which is when attackers try to access other sites using leaked logins, it is important to use unique passwords for each site and to quickly change passwords that are exposed.
Compromised logins are probably higher
While Google estimates that only 1.5% of all logins have been compromised in data breaches, it is very possible that this number is higher.
Most users who use the web to shop, bank, or perform other logins are probably not as security conscious as those who installed Google’s Password Checkup extension.
“Our detection rate is lower than the 6.9% reported by Thomas et al.  for 751 million Google accounts and 1.9 billion breached credentials. Possible reasons include the user population that adopted our extension is more security conscious— thus avoiding reuse as a behavior—or that dormant accounts have a higher reuse rate, which by nature our extension cannot observe as we perform checks at login time”
Therefore if you take into consideration the general population of users on the web, rather than those who take an active approach to security, the percent of compromised logins could be considerably higher.
The full results from Google’s study can be found in the “Protecting accounts from credential stuffing with password breach alerting” paper whose results will be presented this week at the USENIX Security Symposium.