Massive Gmail credential leak is not result of a breach

By now, you might have heard that there has been a leak of a nearly 5 million username and password combinations associated with Google accounts.

According to an RT report, the data was made available for download to a Russian Bitcoin security forum by a user that said that 60 percent of the combinations are still valid.

Reddit users have been commenting the leak on a thread that has since been deleted, some saying that they have found their credentials among the leaked once, others noting that the passwords in question were old ones, others still claiming that they never used the included passwords for their Google accounts and positing that the leaked credentials were for other online accounts.

In the meantime, Google has been investigating the leak and concluded that their systems haven’t been compromised.

“One of the unfortunate realities of the Internet today is a phenomenon known in security circles as ‘credential dumps’—the posting of lists of usernames and passwords on the web. We’re always monitoring for these dumps so we can respond quickly to protect our users. This week, we identified several lists claiming to contain Google and other Internet providers’ credentials,” the Google Spam & Abuse Team commented in a blog post on Wednesday.

“We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords.”

They urged users to use a strong, unique password for their Google account, and to consider 2-step verification to increase its security.

Researchers of the CSIS Security Group have analyzed the trove and have estimated that the data it includes dates back as much as three years. “We can’t confirm that it is indeed as much as 60 percent, but a great amount of the leaked data is legitimate,” commented CSIS CTO Peter Kruse.

According to their analysis, most of the login credentials belong to US and UK users.

Users are advised to change their Google password, and to change any password associated with an account where they used their Gmail address as username. Whenever possible, users are encouraged to set up two-factor authentication.