In a year when COVID-careful Americans worked, learned, socialized and shopped online more than ever, personal cybersecurity took on even greater urgency.
A BeenVerified study of more than 171,000 email users nationwide found that nearly 6 in 10 had their email addresses compromised in a data breach.
In a separate survey, BeenVerified found more than 60% of consumers who had email addresses and login credentials exposed in at least one data breach were unaware of the data leak—and that their email account information and passwords may now be available on the Dark Web, where online scammers trade information and tools to find new prey.
BeenVerified also found Microsoft-related email addresses (MSN, Live.com and Hotmail) were most likely to have been impacted by previous hacks. Our study comes on the heels of Microsoft’s March 2 announcement that vulnerabilities in its Exchange Server mail software going back 10 years have been exploited by Chinese hackers.
Most users are hit by multiple data breaches. BeenVerified found 56% of 171,000 users had email addresses exposed in at least one data breach. On average, a user’s email address had been compromised in 5.2 breaches.
Other key findings
- Victim awareness of data breaches is low. In a separate survey of more than 3,000 users, 63% who thought their accounts weren’t susceptible to previous data breaches were wrong—suggesting the number of users who took additional password protection measures was also low.
- Washington, D.C., email users had the highest average number of compromised addresses. Maryland, New Jersey, Connecticut and Delaware users ranked next highest. Wyoming, Alaska, New Mexico and Arkansas had the fewest incidents on average.
- MSN, Live.com, AOL and Hotmail accounts have the highest breach rates. In short, users of Microsoft-related email clients were most impacted. The software behemoth runs MSN (85% breached), Live.com (81%), Hotmail (78%) and Outlook (32%). Across the board, Microsoft email clients had an average breach rate of 69%. Gmail, Outlook and iCloud experienced the fewest breaches.
Lack of awareness is a concern—people often reuse the same password. A 2018 study of 26 million users by Panda Security found that 52% reuse passwords for different secure accounts.
“The first and best line of defense after your email account information has been breached is to change your account-related passwords,” said Richard Gargan, spokesman for BeenVerified. “If you aren’t aware you’ve been hit by a data breach, you probably haven’t taken appropriate next steps to secure your accounts.
“Increasingly, we are seeing leaked passwords being used in ransomware schemes where criminals target users and fraudulently claim to have compromised their computer to release embarrassing personal details,” Gargan added. “They bait potential victims by revealing previously used passwords as evidence they’ve hijacked their computer.”
Data breaches: How states compare
Email addresses and passwords often appear in multiple breaches. As of 2021, states where users had the highest number of incidents include Maryland (logins revealed in an average of 5.54 data breaches), New Jersey (5.53), Connecticut (5.5), Delaware (5.49) and New York (5.44). The area with the highest incidence is the nation’s capital, where, on average, email addresses were compromised in 6.41 data breaches.
Wyoming (4.33), Alaska (4.34), New Mexico (4.45), and Arkansas (4.62) and North Dakota (4.63) ranked the lowest.
Data breaches by email providers
More than 127,000 of the users we studied had Gmail accounts, and 51% of those emails were found to have been compromised at least once—the third-lowest percentage in our study. On average, Gmail accounts were involved in 4.5 incidents, fewer than the overall average.
Meanwhile, Live.com and MSN email accounts had the highest percentages of compromised accounts: 81% and 85%, respectively. AOL and MSN email addresses, which made up 7,146 users in our study, each averaged more than 7.5 breaches.
What’s a Dark Web Scan?
A Dark Web Scan scours the internet to try and find out if any of your email addresses may have been compromised and made available on the dark web, an online zone that is difficult to search. If your personal information is compromised in a hack and distributed on the dark web, it could end up in the hands of the criminals who operate there—increasing your risk of fraud, identity theft and other cybercrimes.
For example, dark web criminals may take your password information and attempt to access your online bank accounts, make fraudulent purchases on e-commerce sites or open new accounts in your name.
Protect yourself from email data breaches
These days, major data breaches happen regularly, whether it’s the 540 million Facebook accounts compromised in 2019 or the 3 billion Yahoo accounts exposed in 2013 and 2014.
Here are some key steps to try and better protect yourself from data theft:
• Regularly change passwords. Make sure those passwords are strong, with a mix of numbers, symbols and uppercase and lowercase letters.
• Consider using a password manager. To help keep track of tricky combinations, use a password manager. (And yes, those managers are, for the most part, secure.)
• Set up multifactor authentication whenever possible. This extra step further restrains the ability of criminals to access your account, even if they know your password.
• Be wary of phishing attempts. Never open emails or attachments from accounts you don’t recognize.
• Use antivirus software. Besides keeping software, such as browsers and operating systems, up to date, consider using antivirus software to regularly scan for malware.
Methodology: We analyzed 171,598 users of the BeenVerified Dark Web Scan tool from Jan. 13-Feb. 15, 2021. Users were from all 50 states and the District of Columbia. A separate online survey conducted from Feb. 4, 2021 through Feb. 10, 2021 asked 3,114 Dark Web Scan users, “Did you know these accounts were breached prior to seeing them here?” BeenVerified’s Dark Web Scan allows users to search whether their email address may have been compromised in more than 500 breached websites and 10.6 billion breached accounts.
For more information or press inquiries, please contact Kerry Sherin, firstname.lastname@example.org.
About BeenVerified: BeenVerified’s mission is to help people discover, understand and use public data in their everyday lives, including a Dark Web Scan tool. BeenVerified and its associated websites curate dozens of public data sources and proprietary data sets to give people easy and affordable access to billions of public records.