Around five million Gmail usernames and passwords were published late Tuesday on a Russian bitcoin forum. But Google has told account holders not to worry.
According to a post on Google’s online security blog, only 2 percent of the usernames and passwords might have actually worked, and Google’s automatic anti-hijacking systems would have blocked many of those login attempts.
It is still not clear how the information was gathered together and how it landed on the forum in question, but Google is pretty certain that it was not an internal leak and that no one in the company is harvesting passwords and usernames. It seems the problem stems from what is commonly referred to as ‘credential dumping.’
One of the unfortunate realities of the Internet today is a phenomenon known in security circles as 'credential dumps' — the posting of lists of usernames and passwords on the web. We’re always monitoring for these dumps so we can respond quickly to protect our users. This week, we identified several lists claiming to contain Google and other Internet providers’ credentials," the Google Spam and Abuse Team wrote.
It adds that it has already protected the affected accounts and has asked users that it knows have been compromised to change their passwords.
In fairness to Google, it has been pumping out the security message for a long time, and upgrades and enhances its security offerings on a regular basis.
However, while these enhancements go a long way to protecting user accounts, security also requires user action as well. Last year, when it announced one of the many updates to its account security, it outlined the measures that users should be taking around their Google accounts at least:
You can help protect your account by making sure you’re using a strong, unique password for your Google Account, upgrading your account to use 2-step verification, and updating the recovery options on your account such as your secondary email address and your phone number."
This is important for the simple reason that it seems that it is failure to follow these basic security elements that enabled the cybercriminals to gather the information — or a least that’s what Google believes.The information was obtained through a number of sources:
For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others. Or attackers can use malware or phishing schemes to capture login credentials," the spam team added.
To stay safe, remember the basics. Use strong passwords and don’t give out your details to anyone. This really shouldn’t have to be said, but it clearly needs to be repeated given the number of accounts involved.
What About IsLeaked.com?
Finally, at this stage, to find out if your information has been compromised, there is allegedly a way of finding out. But use caution.
There is a two-day old website called IsLeaked.com, which is being promoted widely as an easy way to find out whether your account has been compromised or not.
It is important to note here that it is not a Google tool, nor has Google endorsed it. It works by feeding your Gmail address into the tool, and it tells you whether you account has been hacked or not. The site was registered Wednesday to Egor Buslanov, and tied to a street address and phone number in Paris, France.
Did we mention the site is in Russian?
Given all the unknowns, CMSWire is not endorsing the use of the tool. Just change your password.