Leak of '5 MEELLLION Gmail passwords' creates security flap Plain-text passwords and account names linked to five million Gmail accounts have been leaked onto several Russian forums. Security experts had already confirmed the data seemed legit, albeit approximately three years old, before Google put up its blog post on the subject. The leak, to a variety of forums, not all of which …
They have my GMail address, but not a password that I ever used with the service. They have a low-entropy easy-to-type password that I regularly use for one-off sign-ups on sites that I couldn't care less about. Unfortunately that doesn't help narrow down the source of the leak, other than to exclude Google themselves.
since the password file is out there couldn't Google download it, check the passwords' validity, and email / SMS anyone whose actual password has been leaked?
Am I wrong in thinking there should be no risk with that, other than the Google staffer searching for the relevant torrent being exposed to some "23 hot women near you want to date you tonight"-style links? (*blush* )
Silly as it may seem, and I am not known to be particularly intelligent, I would assume that Google does not 'know' the passwords... salted cashews and such stuff. If they did download the file then in order to check for compromised accounts they would have to use the information to see if they could log in to the accounts and that might put them on the wrong side of the law. Of course assuming these are accounts that Google regularly sniffs the data from to spaff adverts at people then things possibly become even sillier. Anyway, as suggested, they might find themselves charged with doing something nefarious. Errr, pass the paracetamol.
Yes they have checked - via Ars - http://googleonlinesecurity.blogspot.co.uk/2014/09/cleaning-up-after-password-dumps.html
"We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords."
I was concerned as well when I saw this. I had a couple "failed login attempts" from somewhere in northern Nevada a few months back and I used Keypass to generate a strong random password and enabled two-factor. Also did same for Windows Live and Apple ID, and proceeded to generate random Keypass passwords for any sites using my Gmail account as a login. Now I just want my financial institutions to all offer the same.
I'd agree that something might be at risk if you didn't know you were on the list.
I suspect some confusion between the actual Gmail account, and accounts on other sites which use email address and password as login credentials. You can expect a site username to be a little less open than an email address, but I know of some significant (if not hugely sensitive) accounts which require an email address. I have to use that for the repeat prescription service offered by my GP.
Bu I don't publish my Gmail address. I redirect email through my personal domain name, to read through Gmail, and so my public email addresses don't have an obvious link to Gmail.
I set this up a long time ago and, while I am certainly a little worried about this, I don't feel vulnerable. I do have the feeling that conclusions have been enthusiastically jumped to.
I am more worried about how easy it is to find the answers to common "security" questions.
>I would assume that Google does not 'know' the passwords... salted cashews and such stuff.
You're right that they won't know the passwords in their database, but they can perform a match between the hashed password and what they stored. If they couldn't then it should be self evident that they also couldn't validate your credentials when you visited their website.
Handy link there SNC
I'm not on the list, but the account I set up for the 8 year old is on the list. I'll have to go find the actual list and see if it has the (one) password I stuffed on it 3 months before he was born.
I find it hard to believe they "cracked" that one, its not something rational. Nor am I most days.
> "a move towards multi-factor authentication is required"
Google already uses two factor, and it's a royal pain in the behind. I have 2-3 real accounts which actually matter, the rest are throwaway accounts, and I do not need secure throwaway accounts.
I'm not sure why everyone wants to pretend that all accounts are vital and important, when it's so blatantly obvious that all of us have dozens upon dozens of junk accounts we really couldn't care less if they are hacked.
@Vociferous : I must strongly disagree about Google's 2SV being a royal pain in the behind. Once 2SV is set up, it's completely transparent. The knowledge that I will get an alert if someone does manage to crack my Google password, *and* that the perp won't be able to anything with it without the verification code sent to my phone lets me sleep much easier.
Before going to that site, ask yourself, who are these guys, and can I trust them?
So how does that work then? How can you tell where a gmail.com account user is based without having more details? Did the hackers enter the accounts one by one and discard those where the user had selected a non US/UK or possibly DK location? Does google keep your details on different servers based on where you claim to live? Or maybe the accounts are even older and from the time when you had to be invited to have a gmail account and would more likely be a US based user? All sounds rather odd.
This post has been deleted by its author
I'd imagine someone got onto a server and did '
'Select * from IDDATABASE WHERE USER_LOCATION IN (the money);" or thereabouts so they could get away with a usb stickload of info rather than waiting a long time for the full table (s) to download.
According to the Microsoft site haveibeenpwned.com four of my seven gmail accounts have been compromized. One of the accounts is ancient, but three were created in 2014. Google did force me to change password on one of those accounts a couple of months ago.
Interestingly, none of the accounts is listed as compromized by isleaked.com.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
