12 September 2014

There have been a number of reports about a list containing approximately 5 million passwords and Google Gmail addresses (and some other Russian site credentials) being posted on a Russian Bitcoin forum.

This is believed to be made up of old information captured from a number of other sources rather than a breach of Google services.

If you have a Gmail account and have reused your Gmail (Google) password elsewhere online, there is a small chance your account may be vulnerable so you should change your password as a precaution.

About the list

According to Google, ‘the leaked usernames and passwords were not the result of a breach of Google systems’.

Google says it believes less than two percent of the username and password combinations on the list would work to log in to Google accounts.

Many of the passwords posted do not belong to Gmail accounts. Google suggests that the passwords and email addresses comprising the list may have been stolen over a period of time from other sources such as phishing, individual attacks or from hacking other minor sites where people have used their Gmail address to sign up.

Some (unconfirmed) sites reported by Mashable as potentially affected include friendster, filedropper, xtube and freebiejeebies

Is your account at risk?

The sources of stolen passwords and Gmail addresses in the list are not confirmed. It is likely that many of the passwords were created during registration for other websites which also use email addresses to logon—a common method for many websites. They may have been stolen in other breaches and attacks, and rolled up into this list.

If you reuse your Gmail (Google) password elsewhere online, it is possible it might have been captured, so you should change your Gmail password as a precaution.

If you use unique passwords for each website you use (as recommended) your Gmail account should be safe.

If you have registered for any of the minor sites mentioned above, you should change your passwords for those sites too.

It is best practice to never reuse a password.

Password checking sites

Password checking site haveibeenpwned has been updated to include data from this dump. It is managed by Troy Hunt, a well-known Australian security expert. According to haveibeenpwned, 17 percent of the Gmail addresses in the list were already on its database.

Reputable password checking sites can be useful tools to help you clarify if your data has been compromised, but you should also note Stay Smart Online has reported on fake password checking sites emerging in response to similar breaches in the past, so be sure you trust a site before you enter any information. Remember they could be phishing for your username and password.

Staying safe

  • Change your password regularly
  • Choose a strong and unique password every time
  • Enable two factor authentication if offered by the site
  • Keep your software and systems up-to-date

More information

Mashable’s report on the dump.

CSO article about the dump.

Stay Smart Online advice on setting and using strong passwords.

Previous Stay Smart Online Alert: How strong is your password?

Stay Smart Online advice about setting and using security software.

The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.

Feedback

Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.

Disclaimer

This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.

This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.

The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.

Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.

Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.

CONTACT US

Facebook: www.facebook.com/staysmartonline
Email: staysmartonline [at] communications.gov.au
Web: www.staysmartonline.gov.au
You are receiving this message at the address [Email].
Update your profile preferences
If you no longer wish to receive this information, you can unsubscribe.

© 2013 Australian Government. All rights reserved

Connect with Stay Smart Online
  • Facebook.
  • youtube
  • RSS feed