Research by Google and the University of California has found that there are more than 1.9 billion usernames and passwords available on the black market, many of which can be used to access Google accounts.
According to the study, cybercriminals are gaining access to people's passwords and flogging them on the dark web at a profit.
The researchers used Google's proprietary data to see whether or not stolen passwords could be used to gain access to user accounts, and found that an estimated 25 per cent of the stolen credentials can successfully be used by cyber crooks to gain access to functioning Google accounts.
The researchers wanted to study the "underground ecosystem" that's responsible for data theft. Between March 2016 and March 2017, they identified 788,000 potential victims of keyloggers and 12.4 million potential victims of phishing.
"Using this dataset, we explore to what degree the stolen passwords---which originate from thousands of online services---enable an attacker to obtain a victim's valid email credentials---and thus complete control of their online identity due to transitive trust," the researchers wrote.
"Through a combination of password re-use across thousands of online services and targeted collection. "We estimated seven to 25 percent of stolen passwords in our dataset would enable an attacker to log in to a victim's Google account and thus take over their online identity due to transitive trust."
"For these accounts, we show how hardening authentication mechanisms to include additional risk signals such as a user's historical geolocations and device profiles helps to mitigate the risk of hijacking."
Despite the threats, companies and government organisations have yet to put significant strain on these crooks.
"We observe a remarkable lack of external pressure on bad actors, with phishing kit playbooks and keylogger capabilities remaining largely unchanged since the mid-2000s," said the researchers.
However, there are a number of things people can do to stay protected, the researchers noted. For instance, users can sign up to password managers to create unique access keys.
"While the death of the password has been long predicted, they're currently a core method of access for most systems and must be created with care," said IBM recently.
"While the "rule of thumb" for passwords in the past has focused on complexity - at least 8 characters combining letters, numbers and characters - new guidance in recent months suggests longer "passphrases" - several unrelated words tied together, at least 20 characters - are actually harder to crack and easier to remember.
"Rather than try to memorize multiple passwords or store them insecurely on your phone notepad, use a password manager - which not only acts as a vault for existing passwords, but can also generate stronger passwords for you."
Could be used for everything from search-and-rescue robots to wearable tech
Don't require the rare material being mined from the mountains of South America
IBM hopes that its new tool will avoid bias in artificial intelligence
Found by calculating the strength of the material deep inside the crust of neutron stars