I know what you did last login: inconsistent messages tell existence of a target's account to insiders

Account security to protect user accounts against sensitive data breaches is a major mission for online service providers. Therefore, they exert tremendous effort in securing account authentication. Although threats from complete outsiders, such as account hijacking for monetization, still occur, recent studies have shed light on threats to privacy from insiders. This paper sheds light on the latter threats. Specifically, we present the first comprehensive study of an attack from insiders that identifies the existence of a target's account by using the target's email address and insecure login-related messages displayed. Such a threat may violate intimates' or acquaintances' privacy because the kinds of service accounts a user has implies his/her personal preferences or situation. We conducted surveys regarding user expectations and behaviors on online services and a measurement study of the login-related messages on online services that are considered sensitive. We found that over 80% of participants answered that there are sensitive services and that almost all services were vulnerable to our attack. Moreover, about half the participants who have sensitive services are insecurely registered on them and thus could be potential victims. Finally, we make recommendations on the basis of our findings for online service providers to improve login-related messages and for users to take appropriate defensive actions.