That List Of 5 Million Leaked Gmail User Names & Passwords Is Not As Scary As It Seems
Most user name/password combinations on the list were apparently outdated or accessed non-Gmail sites. Google says safeguards against "credential dumps" are strong.
Not to worry. Too much.
Yes, nearly 5 million Gmail user names and passwords were posted on a Russian Bitcoin forum Tuesday, but it appears that many, if not most, were either outdated or user name/password combinations used to access other websites. The more security experts looked, the less alarmed they became about the breach.
Google, which since the news broke has been reassuring people that it has “no evidence that our systems have been compromised,” today published a blog post saying it had identified several “credential dumps” this week — “lists claiming to contain Google and other Internet providers’ credentials.”
From the blog post:
We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords.
It’s important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems. Often, these credentials are obtained through a combination of other sources.
For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others. Or attackers can use malware or phishing schemes to capture login credentials.
The upshot? Although, you are likely in the clear, this is as good a time for some password maintenance, namely make sure your essential passwords are unique and strong. Google’s blog post put it this way:
A few final tips: Make sure you’re using a strong password unique to Google. Update your recovery options so we can reach you by phone or email if you get locked out of your account. And consider 2-step verification, which adds an extra layer of security to your account. You can visit g.co/accountcheckup where you’ll see a list of many of the security controls at your disposal.
And if you are curious about whether your gmail address is on the list, you can download the whole thing — minus the passwords which have been stripped from the document — here.