[theptip]

An extremely underrated (and insightful) point to consider.

More generally, how do you actually get a measure of risk between two providers, when the absolute frequencies of measurable events are very low?

It seems plausible to me that FastMail could have 10x or 100x the level of security incidents as GMail, and it would still net out to an undetectable difference in the number of public complaints.

If we had internal data… but of course we don’t.

[jeffbee]

When I worked in the anti-abuse business, account security was tracked by lurking in organized crime fora and determining the market price for stolen accounts. I don't know what it looks like for FastMail, but I do recall that the range between good and bad platforms was huge. A stolen Google account was like $10, but stolen Yahoo! Mail accounts were more like a nickel per thousand.

[drivebycomment]

You can search for "bulk account purchase" and there are various "sellers" where you can compare the price quickly.