A List of 5 Million ‘Gmail Passwords’ Leaked, But There’s No Need to Panic
It might be time to change some of your passwords — again. But if you’ve used a Gmail password that’s unique from other accounts, you might not have to worry.
A list of almost 5 million combinations of Gmail addresses and passwords was posted online on Tuesday. But the passwords seem to be old, and they don’t appear to actually belong to Gmail accounts. Instead, it seems that many of the passwords were taken from websites where users used their Gmail addresses to register, according to some of the leak’s victims as well as security experts.
For example, someone might have signed up for a website with the username “[email protected]” and the password “mypassword.” The list exposed this week makes it look like “mypassword” is the password for the Gmail account itself, but the user’s actual Gmail password might be totally different.
We can’t confirm the authenticity of all the email addresses on the list, but a Mashable employee, Evan Engel, saw that his old Gmail password, which he hasn’t used in years, is part of the leak.
A screenshot showing that Engel’s old password is part of the leaked database.
A Google spokesman told Mashable that the company has “no evidence that our systems have been compromised,” and security experts seem to agree that the passwords are either old Gmail passwords obtained through phishing, or are passwords that were actually used on other sites.
That gmail dump looks very old folks. Can confirm a dummy account w/ password that was already changed twice. Dump has original pw.
— Ben Ten (0xA) (@Ben0xA) September 10, 2014
@troyhunt I don’t think this dump originates from gmail/Google. It’s most likely compiled from multiple sources
— Janne Ahlberg (@JanneFI) September 10, 2014
Matteo Flora, a computer security expert, reviewed the dumped file and found that around 60 email addresses were in his address book. After he alerted those people, 30 of them told him that the password either was never used for their Gmail accounts or was very old, Flora told Mashable.
Chester Wisniewski, a senior security adviser for security firm Sophos, told Mashable that he expects many of these accounts not to be valid. “There is no honor among thieves as they say, and often stunts like this are released as a sad attempt at gaining credibility among other criminals,” he said.
Several Reddit users also confirmed that they found their email addresses in the leak, but that the associated password has never been their Gmail password.
“The password that I generally use for other services is shown in this list and not my gmail password,” wrote a Redditor nicknamed InternetOfficer. “This proves that the hackers hacked into some other service where gmail address (or other email addresses) are used and got the password of that service not gmail password.”
“The password it shows (or at least the first two characters) is NOT from a password I’ve ever used on Gmail,” wrote another Redditor, “but it does match a password I’ve used on bullsh*t I absolutely don’t care about.”
Some hints in the dump seem to point to several different sites that could have been compromised.
Both Flora and some Reddit users have noticed that some email addresses are followed by a “+” sign and the name of a website. (If you add “+” and a word to your Gmail address, like “[email protected],” emails to that address can automatically be archived in a folder with the word you choose.) This might indicate which websites have been compromised. Some of the sites that have been identified this way include friendster, filedropper, xtube and freebiejeebies.
Even if this dump is simply a collection of old passwords belonging to minor sites, the issue is always the same: password reuse. If you tend to reuse your passwords, check this website to see if your Gmail address is on the list.
If it is, change your passwords, and choose long ones that combine special characters and numbers. Password managers can help you keep track of your accounts.
“And stop being silly and use the same password for everything,” Flora said.
Also, as usual, enable two-factor authentication on services that provide it, including Gmail. That way those accounts are more secure, even in the event that someone steals your password.
Oh, and don’t freak out.
“Ignore the man behind the curtain, keep your PC up to date, use a strong password and a second factor whenever possible,” Wisniewski said. “Keep calm and move along.”
Have something to add to this story? Share it in the comments.