Approximately 4.93 million Gmail usernames and passwords were published to a Russian Bitcoin forum on Tuesday, as first reported by Russian website CNews. That’s the bad news. The good news is that this leak doesn’t seem as massive upon further inspection.
First off, we got in touch with Google regarding the issue. The company does not believe this is the result of any sort of security breach on its end.
“The security of our users’ information is a top priority for us,” a Google spokesperson told TNW. “We have no evidence that our systems have been compromised, but whenever we become aware that accounts may have been, we take steps to help those users secure their accounts.”
Next, since the posting, the forum administrators have purged the passwords from the text file in question, leaving only the logins. Furthermore, tvskit, the forum user who published the file, claimed that some 60 percent of the passwords were valid.
A quick analysis of the text file shows it includes mainly English, Spanish, and Russian accounts, but also that it seems to combine older lists accumulated over a longer period of time. There could thus be a link to hacks of sites unrelated to Gmail or any of Google’s services, especially if users are choosing the same usernames and passwords for other accounts, as well as phishing attacks.
As a result, this leak likely affects significantly fewer than 5 million users. Many have likely changed their passwords, and certain entries could be for suspended accounts, duplicates or simply outdated.
If you want to check whether your account is included in the leak, you can head to isleaked.com and input your email address (English translation here). We wouldn’t necessarily recommend doing so, however (email addresses could always be accumulated for later spamming): changing your password regardless of whether you’re on the list or not can’t hurt.
Google has taken steps to help them secure their accounts and given them usual recommendations to protect their devices from malware. The company also recommended enabling 2-step verification.
See also – Three years in, Google has paid researchers over $2 million in security rewards and fixed more than 2,000 bugs and Google begins offering financial rewards for proactive security patches made to select open-source projects