How Much Is Your Gmail Worth To A Hacker?
My life on the internet is worth surprisingly little cash.
Earlier this year, cyber attacks were listed as America’s top security threat. The internet is a dangerous place! While it’s one thing to talk about hacking weapons secrets or banks, let’s get personal: What about our email accounts?
When it comes to Gmail access, where people (read: me) store waaaay too much sensitive info, what’s the price tag for an average cyber thief? How much can they fetch for the information that shuffles through my boring old inbox every day?
According to Cloudsweeper, a project from the University of Illinois at Chicago’s BITS Networked Systems Laboratory, not that much, considering how inconvenient it would be for me if someone hacked into my Netflix, my WordPress, my Twitter and Facebook accounts. Cloudsweeper offers an “account theft audit” that runs a diagnostic on your email account, and spits out a number as to how much money the account access within it would garner a cyber criminal.
This is how it works: Once you grant the Cloudsweeper app access to whatever Gmail account you’re signed into (it doesn’t ask you for your password, and doesn’t keep your credentials), it scans your email to check if a hacker would be able to access accounts for sites like Facebook, Twitter, Netflix and more, then estimates a price for those passwords based on the recent black market prices offered for compromised accounts.
In the results of a scan of my own email, Cloudsweeper notes that a few accounts allow for a password reset based on just an email–like Groupon (you’re welcome to my expired coupons for shuttered businesses, hackers), Apple (Cloudsweeper suggests access to my account is worth $8) and Tumblr (worth a whopping 30 cents). With a bit of extra info, a hacker could also access my Facebook account ($5 value) or my Twitter (30 cents). Take note, would-be hackers: I’m worth disappointingly little money–a grand total of $13.60.
But somehow that doesn’t make my information feel that much safer: A scan of the potential plain text passwords in my account pulled up…well, a lot. The service also allows you to either encrypt the messages with passwords in them, or redact the passwords permanently, without affecting the rest of the message.
UIC assistant professor Chris Kanich and his team created Cloudsweeper as part of a study of security and cloud-based data storage. Users that opt in can allow the service to gather anonymous data on things like how many types of accounts people tie to their Gmail, and whether people choose to redact or encrypt plain text passwords the audit discovers.