New research by the technology giant and the University of California found that anyone who has an email account is at risk of a triple-threat attack.
Researchers identified 788,000 “credentials” stolen using tools that track victims’ keyboard strokes.
A further 12 million were nicked during attacks in which crooks try to trick people into typing their account details by sending links to re-set their password or pretend to be a well-known brand like eBay, Amazon or a bank like Barclays.
This technique is called “phishing” and can be difficult to detect, because the emails may appear in your inbox as convincing-looking receipts for purchases you haven’t made.
Many are still fooled by a particularly convincing Amazon “thank you for your purchase” email which asks you to click on a link to cancel the order.
Of course, the order never existed in the first place.
It is thought an astonishing 3.3billion passwords and usernames are out in the wild thanks to a number of data breaches.
But a password is rarely enough to crack your email account.
Sophisticated attackers are also trying to collect sensitive information needed to verify your identity.
Google security sleuths Kurt Thomas and Angelika Moscicki wrote in a blog post: “We found 82 percent of blackhat phishing tools and 74 percent of keyloggers attempted to collect a user’s IP address and location, while another 18 percent of tools collected phone numbers and device make and model.”
If you want to check whether you’ve been affected, there are services around to help.
Thomas and Moscicki wrote: “Our findings were clear: enterprising hijackers are constantly searching for, and are able to find, billions of different platforms’ usernames and passwords on black markets.
“While we have already applied these insights to our existing protections, our findings are yet another reminder that we must continuously evolve our defences in order to stay ahead of these bad actors and keep users safe.”