Google Says Not To Worry About 5 Million 'Gmail Passwords' Leaked

This week, a list of nearly five million Gmail addresses paired with passwords appeared online, posted in a Russian Bitcoin security forum. Some people who checked the list and found their Gmail addresses there reported that it contained an old password for them, and often a password that they had reused on multiple sites. There’s speculation that the addresses may hay been stolen from other sites where people used their Gmail address as a log-in. Google GOOGL -0.4% itself saysless than 2% of the leaked address-password pairs were current for Gmail. That sounds small but it means nearly 100,000 people need to change their Gmail passwords ASAP. If you’re one of them, Google should have already notified you.

A site — IsLeaked.com — to check if your address is in the leak immediately popped up. Blogger James Watt points out that the site was created September 8, the day before the list was posted to the Bitcoin forum, and is warning people not to use it, saying it might be a honey pot to collect email addresses. The site will tell you if your email is in the leak, as well as the first two letters of the password associated with it. “We just found .txt file with logins and passwords and made a service,” the anonymous person behind IsLeaked told me in an email. He says he created the site after a massive leak of Russian mail service Yandex addresses that happened on September 7, and that he simply added Gmail to the mix when it coincidentally happened after. “There is no conspiracy theory,” he says by email.
If you’re nervous about handing your email address over to the site, you can also check it on HaveIBeenPwned, a data breach check site run by Australia-based software engineer Troy Hunt, or on a leak tester that runs locally, but neither will tell you the password associated with the account.
Google encourages people to chill out about the leak. “We’re always monitoring for these dumps so we can respond quickly to protect our users,” says Google’s security team in a blog post about the leak. “We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords.”
But what if the list of usernames and passwords doesn’t get posted to a public forum where Google can spot it? This is why two-factor authentication is a good idea, so that even if someone gets your password, they need a code sent to your mobile device to get into your account.
Google also says it’s constantly monitoring accounts for unusual activity. “We’ll stop sign-in attempts from unfamiliar locations and devices,” the security team writes. “You can review this activity and confirm whether or not you actually took the action.”
Downside: those users in the leak will almost certainly end up getting more spam, and may be targeted with phishing attacks. It’s also a problem for whichever sites these usernames and passwords got stolen from. Good luck out there, Internetters.

Comments