Google upped security protections for 67 million accounts after studying hijackers in black markets, the company said in a blog post Thursday. The company’s research labeled phishing as the top threat to Google account security.

Working with researchers at the University of California, Berkeley, the tech giant studied how hijackers steal sensitive data, like account passwords, from March 2016 to March 2017. Past Google research found that around 15% of internet users had experienced an account takeover.

SEE: Security awareness and training policy (Tech Pro Research)

Researchers found that third-party breaches exposed the most data (3.3 billion credentials), followed by phishing scams (12 million credentials), and then by keyloggers (788,000 credentials). Attackers using phishing or keyloggers were more likely to be successful, with 12-25% of attacks grabbing a password.

Due to an increasing number accounts using two-step verification, getting the password wasn’t always enough for attackers. Over three-fourths of attackers using phishing or keyloggers tried to get a user’s IP address or location. Less than 20% tried to get information about the user’s phone, including phone number.

“Our findings were clear: enterprising hijackers are constantly searching for, and are able to find, billions of different platforms’ usernames and passwords on black markets,” the blog said.

Google applied their findings to their existing “defense in-depth” security measures, boosting the security of millions of accounts, according to the blog. The blog didn’t clearly state when those measures were put in place, or what exactly was changed.

Programs like Safe Browsing and the new Advanced Protection option are already in place for Google accounts. Two-step verification kicks in whenever an account is accessed on a new device or uncommon location.

There are additional ways to protect your accounts. The blog post recommended users check, add, and update recovery information for their Google accounts through Google’s Security Checkup. Chrome users can also generate passwords and save them in one spot using the Smart Lock tool.

The 3 big takeaways for TechRepublic readers

  1. Google studied black markets and hijackers for a year, finding that phishing is the top threat against the security of Google accounts.
  2. Some 12-25% of attempts to grab passwords using phishing or keyloggers were successful, and over three-fourths of attackers tried to get a user’s location to beat two-step verifications.
  3. To stay safe, Google recommends using Security Checkup to add recovery information and Smart Lock to generate passwords and securely store them.