5 million passwords and Gmail credentials dumped online: SSO Alert Priority Moderate
12 September 2014
There have been a number of reports about a list containing approximately 5 million passwords and Google Gmail addresses (and some other Russian site credentials) being posted on a Russian Bitcoin forum.
This is believed to be made up of old information captured from a number of other sources rather than a breach of Google services.
If you have a Gmail account and have reused your Gmail (Google) password elsewhere online, there is a small chance your account may be vulnerable so you should change your password as a precaution.
About the list
According to Google, ‘the leaked usernames and passwords were not the result of a breach of Google systems’.
Google says it believes less than two percent of the username and password combinations on the list would work to log in to Google accounts.
Many of the passwords posted do not belong to Gmail accounts. Google suggests that the passwords and email addresses comprising the list may have been stolen over a period of time from other sources such as phishing, individual attacks or from hacking other minor sites where people have used their Gmail address to sign up.
Some (unconfirmed) sites reported by Mashable as potentially affected include friendster, filedropper, xtube and freebiejeebies
Is your account at risk?
The sources of stolen passwords and Gmail addresses in the list are not confirmed. It is likely that many of the passwords were created during registration for other websites which also use email addresses to logon—a common method for many websites. They may have been stolen in other breaches and attacks, and rolled up into this list.
If you reuse your Gmail (Google) password elsewhere online, it is possible it might have been captured, so you should change your Gmail password as a precaution.
If you use unique passwords for each website you use (as recommended) your Gmail account should be safe.
If you have registered for any of the minor sites mentioned above, you should change your passwords for those sites too.
Reputable password checking sites can be useful tools to help you clarify if your data has been compromised, but you should also note Stay Smart Online has reported on fake password checking sites emerging in response to similar breaches in the past, so be sure you trust a site before you enter any information. Remember they could be phishing for your username and password.
Change your password regularly
Choose a strong and unique password every time
Enable two factor authentication if offered by the site
Stay Smart Online advice about setting and using security software.
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.