By Lorenzo Franceschi-Bicchierai2014-09-12 12:00:01 UTC

In the wake of the latest leak involving 5 million Gmail addresses and (some) passwords, the advice was the same one we give in every situation like this: Change your password — especially if you re-use it on multiple services and websites.

But if you’re checking to see if your email address and password is on the leaked list, beware of how you do it. You could get roped into another attack.

In the frenzy to figure out whether this leak was very bad news — it wasn’t as most passwords were old and not even Gmail ones — many people happily typed their email addresses into these sites. But, was that a good idea? Should we all trust a website (any website) with our email address just for the sake of checking if we have been hacked?

In this case, a website called IsLeaked was the most popular site that offered this service, and the one that pretty much every news story (including Mashable‘s) was pointing to.

Hours after it surfaced, James Watt, an IT professional, questioned the site’s legitimacy by pointing out it had been created two days before the Gmail addresses leak. His main criticism missed the point. The site had been created after a similar leak earlier this week involving email addresses and passwords pertaining to Russian providers Yandex and Mail.Ru, according to IsLeaked’s owner, who declined to give his or her name to Mashable.

But Watt stood by the main point he was trying to make.

“I strongly discourage giving your information to any third party that claims to check your security for you,” he told Mashable.

The problem, he argued, is that you don’t know who you’re giving it to, and for all you know you might be sending your email to the same hackers who put out the list or someone else who is harvesting emails to sell them to spammers or get new, fresh email addresses to try to hack. Others on Reddit seemed to share his concern, and someone even created an open source “private” tool that checks the database of leaked emails without sending the address over to the site.

Gmail Tester

There is no indication IsLeaked was a nefarious site, and at first look, it seems to be legit. But Watt, according to security experts, does have a point.

“It’s sensible to be a little bit wary about who you share your email address with,” Graham Cluley, a noted security expert and blogger, told Mashable.

Imagine that this, or another site, is indeed run by bad guys. By harvesting their email addresses, the bad guys can amass a huge database of “folks that they know are concerned about whether their accounts might have been hacked,” Cluley said.

The risk in such a scenario is that the bad guys could send out spam or phishing attempts to those addresses, scaring users into believing their accounts had been hacked, Cluley explained, and tricking them into doing something unsafe — perhaps even something that tricks them into giving away their password.

What should concerned users do then?

In this case, Gmail actually said it forced the people whose password was indeed on the list (“less than 2%” of the 5 million), to reset their passwords. So there’s actually no need to check if your email is on that list anymore. If you haven’t heard from Google, you should be fine.

In the future, the best advice is to think twice before giving out your email address, and be on the lookout for any spam or phishing attempt.

And if you’re concerned, just change the password and turn on two-factor authentication, said Chester Wisniewski, a senior security adviser for Sophos.

If you really want to use a site to check if you are among the victims, Cluley points to, a site run by Troy Hunt, a security expert and software engineer. The site let’s users check if they’ve been victims not only of this leak, but also of several past ones like the infamous Adobe leak, which exposed more than 150 million accounts.

This story has been amended. A previous version mistakenly indicated that Troy Hunt worked for Microsoft.

Have something to add to this story? Share it in the comments.