5 Million Gmail Passwords Leaked, Google Says No Evidence Of Compromise

kierny writes After first appearing on multiple Russian cybercrime boards, a list of 5 million Google account usernames — which of course double as email usernames — are circulating via file-sharing sites. Experts say the information most likely didn't result from a hack of any given site, including Google, but was rather amassed over time, likely via a number of hacks of smaller sites, as well as via malware infections. Numerous commenters who have found their email addresses included in the list of exposed credentials say the included password appears to date from at least three years ago, if not longer. That means anyone who's changed their Google/Gmail password in the last three years is likely safe from account takeover.

OK

[YrWrstNtmr]

So where do we go to find the actual "list of exposed credentials" ?

Re:OK

https://mega.co.nz/#!6hYWVIyI!vrrDuv3s3ZbMiobnv0sYFdIOsudQ44-oDobLInq00ls

just the usernames, not the passwords.

Re:OK

[TACD]

The list of email addresses (without passwords) is at https://mega.co.nz/#!rgFDDRSD!...

Re:OK

I'm not sure where the list is available, but you can check if you are on the list here

Re:OK

maybe krebs will post a searchable index of email addresses...

Re:OK

[DoofusOfDeath]

Thanks. Just discovered that I'm on it. Damn.

Re:OK

[Richy_T]

Maybe someone should just do a courtesy mass-mailing based on the list.

Re:OK

[PIBM]

I'm on it, but I need to know which password was hacked. That would provide me a lot of info on what happened.

Re:OK

It would have to be Google itself, their own spam-trap bots would recognize and kill such as mass mailing otherwise.

Re:OK

[peragrin]

Next question is what about those with two factor authentication?

My pass word is the same from both before and after but I have two factor authentication token as well

Re:OK

whooosh

Re:OK

some of the accounts are also on this 2012 list:

https://dazzlepod.com/digitalplayground/?page=50

i searched for a few, found some, couldn't find others - so this new list may be a compilation of other lists, or a continuation of the old one.

Re:OK

[2fuf]

hunter7

Re:OK

[PIBM]

Really ?? I don't even remember using that password somewhere, and I confirm I never used that on well known and large site.

Thank you BTW

Re:OK

[stonecutter2]

Thanks, thought the exact same thing...

Re: OK

Thanks for the useful link. I'm on it but the password is one I used to use for throw away accounts on websites and never my gmail account.

Re: OK

That site was iteresting....of my 3 accounts only 1 was on a list..but the 2 characters of the oassword they gave I have notnused in 3 ears or more lol

Re: OK

and tell them what? that their email address should now be considered public?

Re:OK

One of my accounts is listed, but the password is really old (6+ years) according to the hint from https://isleaked.com/en.php

Re:OK

my sister's email is on the list - she has confirmed that she's never used her gmail password anywhere else.

Re:OK

[ShaunC]

Preferably in as few messages with as many envelope recipients as possible. There would be epic fallout from all the Re: Re: REMOVE ME FROM THIS LIST.

Re:OK

Did you check that they have her gmail password, or was it grabbed somewhere else?

Top thread on Reddit's discussion talks about that - seems like passwords in there come from all kinds of places, like Dreamhost, Blizzard, Filedropper, ...

Re:OK

[alexhs]

FYI, 2fuf was joking.

Re: OK

With typing skills like that how the fuck do you ever type your password correctly? :)

Re:OK

[Tablizer]

Maybe someone should just do a courtesy mass-mailing based on the list.

A Nigerian prince has already completed that task. I just hope he also mails me my loan back.

Re:OK

[PIBM]

indeed, the 7 caught me offguard. I've managed to grab it and the password I had used match web based games I didn't care about (required signup for flash tests). Still nothing related to gmail directly.

Re:OK

Or better, just create a form where you can put in your username/password to check if it is in the compromised list. I can't be arsed to go trawl through some list manually.

Re:OK

One of my accounts is listed, but the password is really old (6+ years) according to the hint from https://isleaked.com/en.php

Same thing;
One of my accounts is listed in https://isleaked.com/en.php
but this password is at least 2 years old.

Re:OK

[Mashiki]

This account(and the publicly facing email address) is on the list new list, but not the old one. Except that the password listed is over 2 years old, feel free to look. So it makes me wonder where the pass was pulled from, if someone wants to try and figure it out that should be interesting. The only other places I've logged in from with this email address were in Florida via Brighthouse , and Nothern Alberta via bell wifi(rockethub). I have three other email addresses that I use, but none of them are on the list. But I've used this account and others on the same machines.

That makes me believe that some data was pulled, but it may be old--or compiled from elsewhere.

Re:OK

[Mashiki]

Oh and I should toss in that this email address is/was only used on three sites. DSLReports, PWE(since moved to another account roughly 1 year ago), and Slashdot. But none of these sites used the same password as the email address.

Re:OK

you mean hunter2 ?

all i can see is *s

Re: OK

[solidraven]

Same story, it's a joke password I've been using for the past 8 years or so for sites I don't trust or throw away accounts.

Re: OK

Great idea... Send me your email login and password and I'll let you know if you've been compromised... ;)

Re: OK

I survived Bedlam DL3

Re:OK

It says passwords for two of my accounts were leaked.

However the "first two symbols of the password" are WAY OFF.

I wonder if they brute-forced and somehow ended up with some completely different passwords which collided with the hash of my actual passwords. What would even be the odds of that?

Re:OK

Thanks!

I did a search of mine and my families usernames and found none; which is what I had hoped for!

Re:OK

A totally questionable download indeed...

$ untar google_5000000.txt.tar.gz
gz2 file ./._google_5000000.txt
google_5000000.txt

Oh no!!! A dangerous text file!! Run for the fucking hills you dumb shit!!

Re:OK

This is all bullshit. The list is over 10 years old and less than 2% is even actionable

Re:OK

Thanks for the link. Found my junkmail account with the password I stopped using 5 years ago. XD

Re:OK

Check your credentials here:

http://www.droida.de/gmail-address-leaked.html

Re:OK

One of my accounts says yes but the first two characters of the password only match a password I don't use anymore.

Re:OK

My username is tacoman and my password is mrburrito

Can someone tell me if I'm on the list?

Re:OK

[MrHanky]

Unless you've used the same password for gmail as for whichever site has been hacked, it shouldn't matter. I found my gmail address, but the password had never been used at Google. The problem is if you've reused the password on a bunch of sites where your email address can be used as login.

Re:OK

Filthy casual!

$ tar zxf google_5000000.txt.tar.gz

Re:OK

[Mike+Frett]

My account is leaked also but I was one of the first to get a Gmail account and it's an extremely common word. People use mine as their Spam email and it's a big hassle. The password listed for mine is nowhere close to any of mine. So whoever is using my email are the ones in trouble.

Re:OK

Maybe someone should just do a courtesy mass-mailing based on the list.

Maybe google should. Why did I have to read /. to find out about this?

Re:OK

Yeah.. some 2 bit mobster needed to make some money fast so sold a whole lisst of useless names and passwords to someone.. or maybe gave it to someone to keep from getting whacked!

Re:OK

[doccus]

What a wonderful site! Didn't know about it...Thank you!

Re:OK

[Dextrously]

I have an email address on there from an account that I canceled in November of 2012. The credentials that they do have for that account were never valid for logging in to that gmail account. Rather, those credentials were something I used on crappy sites which I didn't trust enough to put a decent password on.

*shrugs* This list is definitely not pulled from Google, or they would have the correct password for that account.

Re:OK

[coinreturn]

Unless you've used the same password for gmail as for whichever site has been hacked, it shouldn't matter. I found my gmail address, but the password had never been used at Google. The problem is if you've reused the password on a bunch of sites where your email address can be used as login.

Same here. My email address, but a password I use for throwaway sites that I don't care about accessing.

Enable Per Device Passwords + TFA

Google allows you the ability to enable per-device passwords plus the GoogleAuth Two-Factor system to lock it down.

2 factor auth?

Interesting how that seems pretty close to when google enabled the 2 factor auth?

Re:2 factor auth?

The fact that this pushes people to use two factor and hence give Google their mobile numbers, should not be suggestive at all that Google is behind this, that would a ridiculous assumption...

Apple needs to be held accountable...

[frnic]

Their security is deplorable and Apple should be legally responsible for any losses people incur as a result of this!

Re:Apple needs to be held accountable...

[DoktorMidnight]

Their security is deplorable and Apple should be legally responsible for any losses people incur as a result of this!

I'm not sure if that is really funny, really sad, or some kind of crazy, Google astroturf psyop. I'm going to be safe and assume that it is simultaneously all three.

Re:Apple needs to be held accountable...

No, just an Apple zealot trying to be clever but looking a twat.

Re:Apple needs to be held accountable...

It's funny.

Re:Apple needs to be held accountable...

At least you caught the joke. Too bad you took it personally.

Re:Apple needs to be held accountable...

OP is funny!
Why would you think OP was sad? Pointing out the hypocrisy of the FAndroids that don't even question Google's security and blindly believe without question Google's official statement of 'trust us, hey we didn't get hacked", yet when a similar situation happens to Apple, the zealot FAndroids behave in a venomous and closed-minded polar opposite manner is not sad.
No, it isn't the OP who is the sad one here.

Re:Apple needs to be held accountable...

What's sad is that you decided to post anonymously in defense of your own unfunny joke.

Re:OKthere

http://www.reddit.com/r/netsec/comments/2fz13q/5_millions_of_gmail_passwords_leaked_rus_most/

More directly:

https://mega.co.nz/#!rgFDDRSD!QyyLxZNnR8i9fF_aNkKI-wUIUV3fjX5o0dxdl-bE3zQ

Quickly, change the password...

From 123456 to abc123. There, I'm safe from Soviet hackers now.

Re:Quickly, change the password...

I changed mine to hunter2.

Re:Quickly, change the password...

[webnut77]

I changed mine to hunter2.

It's September, dummy. It should be hunter9.

Re:Quickly, change the password...

I'm in the southern hemisphere, you insensitive clod! hunter6

Re:Quickly, change the password...

[ebvwfbw]

From 123456 to abc123. There, I'm safe from Soviet hackers now.

I'd fail the 8 char check. I'm safe. I changed it from Password1 to Password2!. They'll never think of that.

Re:America did this

It's funny that you say "true capitalism" is a fairy tale... and yet communism (I'm assuming you mean the "true" kind) is your goto.

Maybe somebody should mod you funny.

you can find the list here

Here is a link to the ascii text file.

https://mega.co.nz/?_escaped_fragment_=ewU1wCKA!P52rdL5tMcugRxi8ALyZlGnfE_KSB4pERGIJjsPsyCQ#!ewU1wCKA!P52rdL5tMcugRxi8ALyZlGnfE_KSB4pERGIJjsPsyCQ

Just people using same passwords

[blueshift_1]

I'd guess it's just hacks of other sites, filter it on just gmail accounts and hope they used the same password for both.

Really just people trying to ride the coat tails of the fappening. Ermagurd, mad hax!

Re:Just people using same passwords

Your _email_ is on the list, or your _password_ is on the list?

PS: If it's the latter, how did you check it? I'm not big on trusting sites that go "Is your password leaked? Well, type it here and I'll check it for you... *quietly does INSERT INTO easymarks VALUES (?, ?)* Eeeeyep, it's leaked alright."

Re:Just people using same passwords

There could be a simpler explanation - your email address may be on that list as it has been scraped from various websites.....Looking at the your post above, it would seem your address is easily found.....

Damn you Slashdot beta :-)

Re:Just people using same passwords

[YttriumOxide]

I'd guess it's just hacks of other sites, filter it on just gmail accounts and hope they used the same password for both

I'm pretty sure that's right. Actually, I'd say I'm around 5 nines certain.

My email is on the list (afforess@gmail.com, go check!) I use a password for gmail I have never used for any other site.

According to the list, the password is a 7 character string, lowercase, moderately common first name starting with c.

Re:Just people using same passwords

I'd guess it's just hacks of other sites, filter it on just gmail accounts and hope they used the same password for both

I'm pretty sure that's right. Actually, I'd say I'm around 5 nines certain.

THIS. Some other stats on the file...
* 4929090 lines
* 4790829 unique users
* 3135922 unique passwords
* 1702892 unique passwords that contain both a letter and a number
* 468179 unique passwords that are all numeric (ex. 123456)
* 926300 unique passwords that are all lower case ascii (a-z)
* zero passwords contain an upper case letter (maybe case got destroyed at some point, or maybe these are all very very weak passwords)
* 97741 unique passwords containing something other than alphanumeric (ex. . _ - # % ` & { })

Looking closer at that last list, many of those are weak, but there are some that look strong. There's even one that's 51 characters long with seemingly random alpha, numeric, and one symbol.

I'm surprised anyone here is admitting to having their name on the list. In most cases, the passwords have been very very weak. FWIW, I went through every contact I personally know with a gmail account and none of them were on here (luckily).

Here's the list

https://mega.co.nz/#!rgFDDRSD!QyyLxZNnR8i9fF_aNkKI-wUIUV3fjX5o0dxdl-bE3zQ
For anyone who wants it.
My emails weren't on it, nor was the emails of others I know.

Two factor authentication time!

[slk]

Google offers 2FA for free, labled as "2-step authentication". Setup takes about 3 minutes, hassle on known devices is roughly zero, and it makes these attacks irrelevent. Can do SMS, Authenticator app, etc.

Re:Two factor authentication time!

They offer it without giving Google your phone number or other personal info, or you have to put another personal info egg in the Google basket?

Re:Two factor authentication time!

[Ichijo]

Except when your workplace has a policy of deleting cookies daily which makes 2-step authentication a hassle when you have to do it every day.

Re:Two factor authentication time!

[peragrin]

Except google has a policy for that an can give you a one step password for the particular device.

Re:Two factor authentication time!

>Except when your workplace has a policy of deleting cookies daily

If your workplace has an IT leader so far gone that cookies are being deleted daily, it's time to find a new job.

Re:Two factor authentication time!

[Mike+Van+Pelt]

Yeah... I tried that. It makes it near impossible to view Youtube videos on my TiVo. The TiVo doesn't stay logged in nor does it remember passwords, so I have to get a new OTP every time I want to view on the TiVo. (Though, now I also have a Chromecast, and I suspect it works more reasonably with 2FA... Time to give it another try, I don't use the TiVo to watch Youtube anymore since I got the Chromecast.)

Re:Two factor authentication time!

Which is based on cookies.

Re:Two factor authentication time!

Doesn't matter here, my workplace blocks accounts.google.com, because uhh, gmail is bad.

Re:Two factor authentication time!

[DMUTPeregrine]

No, it's a separate password for the same account. You can set it to expire or not, as you choose. Cookies aren't involved.

Re:Two factor authentication time!

[swillden]

They offer it without giving Google your phone number or other personal info, or you have to put another personal info egg in the Google basket?

There are several options. One of them is to use SMS or voice as the channel for receiving one-time passwords. For that, you have to provide the phone number they should send the passwords to. Or you can use the Google Authenticator app, which doesn't require providing any information (though it's recommended to provide a phone number as a backup), or you can just get a list of static OTPs to print out and carry around. Most people use that last one as a backup, but I suppose you could use it as your primary 2FA.

Re:Two factor authentication time!

[swillden]

You don't log into the Chromecast, so it doesn't have any dependency on authentication.

Re:Two factor authentication time!

And which puts you exactly back to where you were without two factor auth, but only on the device where it is inconvenient.

Re:Two factor authentication time!

Sounds to me like they're trying to prevent you from looking for a job elsewhere.

Re:Two factor authentication time!

Google Authenticator is open source also: https://code.google.com/p/goog...

Can be (is) used for other 2FA setups

Re:Two factor authentication time!

[GNious]

Would suggest people also go through and revoke any logins, computers and devices after they set up 2FA - should be right there in the Security tab on Google account settings.

But... but.... but... What about teh Appelzzzzz?!?

Come on, Slashtards, you know you want to...
 
Don't be bashful. Tell us how companies that have private information taken from them but whatever unknown methods should be shacked to a brick of iron and dropped into the deepest point of the sea. You just did it a week or two ago. We know you can do it again.

My emails are not on it

I've downloaded the list and neither of my emails are on it. Both of my emails were created when gmail was still in the invite phase. So this appears to not be a leak from gmail. Likewise it appears to not be a leak from youtube, as none of my youtube id's are on it either.

Re:My emails are not on it

[ledow]

Same for me, same for my brother.

Someone's just collected 5m GMail addresses from somewhere.

To be honest, it's more likely that my address has been sold by a Google employee - there's no way I should be getting as much spam as I do to an address that's completely unadvertised and which is only the end-point of various domain forwarding.

Password compromise too? Just sounds like someone's collated all the compromised data from other websites etc. they could find, rather than hacked into GMail somehow.

Anybody own these?

slashdothash@gmail.com
ander.slashdot@gmail.com
slashdotcom@gmail.com

They are in the bad list.

Not Listed

[BlackHawk-666]

Despite having a public gmail account since it was invite only I escaped the list. Password managers FTW!

Re:Not Listed

[Halifax+Samuels]

None of my accounts are listed, and I've had two of them since it was invite-only as well. I also used the same simple password for both of them and dozens of other sites for many years because, honestly, I just don't care that much. Whether you're on the list or not doesn't seem to be related to your password.

Checked

I used the isleaked site for the check and it came back with the first two letters of a password that I was using about 8 months ago. No one seems to be trying it either as my two factor authentication texts aren't going off.

Enable///

[Rick+Zeman]

...2 factor authentication for your accounts, too. Google makes it easy.

Re:Enable///

[Charliemopps]

Thanks for the link, that made it easy. I should have done that years ago.

Just people using same passwords

[Afforess]

I'd guess it's just hacks of other sites, filter it on just gmail accounts and hope they used the same password for both

Really just people trying to ride the coat tails of the fappening. Ermagurd, mad hax!

My email is on the list (afforess@gmail.com, go check!) I use a password for gmail I have never used for any other site. So I don't see how this can be the case. I have 2FA on the account, so not too worried, but still!

Probably a few sites were hacked

[stewsters]

With a gmail account anything after a plus is ignored. You can then use username+serviceName@gmail.com to denote what service you are on. It looks like some people did this, and seems like these credentials are stolen from a few different sites. Here are the most popular after plus endings from the 5 mill:

xtube : 176
daz : 133
1 : 125
filedropper : 88
daz3d : 66
eharmony : 64
friendster : 63
savage : 62
2 : 60
spam : 57
bioware : 54
savage2 : 52
bryce : 51
hon : 40
freebiejeebies : 32
3 : 28
eh : 27
4 : 25
policeauctions : 19
bravenet : 18
filesavr : 18

Re:Probably a few sites were hacked

[brunes69]

Yep. In fact the more you look at the data the more it looks like Google was not hacked at all and these accounts were collected from elsewhere, then perhaps verified against Google.

Re:Probably a few sites were hacked

friendster : 63

HAHAHA

Re:Probably a few sites were hacked

[malakai]

Can confirm. the password it had for one on my Gmail account e-mails was a password I use on 'throw away' websites. Think phpBB and the like. I never used this password on my GMail, or any account I cared about.

I checked two other g-mail accounts that I primarily use for work, and neither were on the list.

I'm going to say some of these are just harvested from old phpBB exploits. Sometimes I would use my throw away password for things I considered useless, like twitter and the like. So I guess it's possible it came from a bigger leak, that was deemed unworthy by me for enhanced security.

Also, many of my primary passwords have the website initials built into it. Like "sdblahblahblah" for slashdot. The password in the leak was not from any of my main primary sites ( amex, citibank, google, /., networking/dns sites, AWS, amazon, etc...).

Re:Probably a few sites were hacked

Same here, my email was in the list but with 'throw away' password, never used it on gmail.

Re:Probably a few sites were hacked

Yep.

There's also probably a bunch lifted directly from victims' PCs - running through uniq shows there's ~200k of duplicate entries, and if you grep by \+.*@, there's ~4000 entries, with some accounts having 10-20 variants of samemail+wqeqw76@.. leaked.

Re:Probably a few sites were hacked

where are you finding the passwords? Im on the list and use KeePass for just about everything so should be able to nail down exactly where they got my password from.

Re:Probably a few sites were hacked

Same here. Throwaway password that :) *ahem* I was using a bit too liberally.

Re:Probably a few sites were hacked

[ChronoReverse]

I agree, just did the check and the first two characters were "pa" which is obviously the throwaway "password" I used before.


I have 2FA enabled so my actual gmail account is pretty safe I'd think.

Re:Probably a few sites were hacked

[YttriumOxide]

where are you finding the passwords? Im on the list and use KeePass for just about everything so should be able to nail down exactly where they got my password from.

The list with passwords was easily available for a while (and still is if you hunt around a bit - I found it without too much trouble).

Re:Probably a few sites were hacked

[Yaur]

The password they have for me was from the linkedin breach.

Re:Probably a few sites were hacked

Confirmed for me as well. Password was from the Ubuntu forums breach.

Re:Probably a few sites were hacked

The password they have for me was from DAZ3D.com (single use pass)

Re:Probably a few sites were hacked

my pass was leaked from DAZ

Re:Probably a few sites were hacked

I ran a few queries....

4799714 end in @gmail.com, 123213 end in @yandex.ru, 15 end in @hotmail.com, and 14 end in @yahoo.com. 124824 entries don't match "@gmail". Of those, 123225 match @yandex.ru, and 123213 uniqlely match '^[^@]*@yandex.ru$'. There are also 27 that match @yahoo.com and 26 that match @hotmail.com.

1389 entries don't contain an @ symbol, and 154 entries have more than one @ symbol. Many appear to be multple entries concatenated together, but 31 literally have @@, and 26 of those are @@gmail.com.

Ignoring the fact that some don't match @gmail, I tried cat google_5000000.txt | cut -d@ -f1 | tr -d '.' | sort | uniq -c | sort -rn.
This a listing with over 6000 combinations, and another with over 4900. There were 3 with at least 2000, 6 with at least 1000, 9 with at least 500, 15 with at least 200, and 31 with at least 100 combinations.

If you're curious, grep '^m.\{16,\}og..c..@' google_5000000.txt | tr -d '.' | sort | uniq -c will reveal the user with over 6000 combinations. 6311 are @gmail.com, and 140 are @yandex.ru.

Something tells me that yandex.ru is directly invovled in this breach.

Re:Probably a few sites were hacked

[r0kk3rz]

They list my details that were leaked from the Sony Playstation Network hack a few years ago, long since changed all my passwords since then.

Re:Probably a few sites were hacked

Can you email me the file at pagalzzx@gmail.com?

Re:Probably a few sites were hacked

Not on the list!

Re:What's email?

you mean you still actually take your cell phone out of your pocket to use it?

How quaint.

Re:What's email?

[WillAffleckUW]

What's a pocket?

This is the 21st Century.

We all wear form fitting science uniforms and have jetpacks and flying cars.

Scary-ish

[Torp]

I was on this list and i had an unique (for me) password for the google account. I've had the account since you had to beg for an invite to get in as well.

Re:Scary-ish

[Torp]

... but I'm guilty of not ever changing the password after i created the account :)
Until today, of course.

Re:Scary-ish

I also had to get in with an invite but my account was not in the list.

Nor my other aliases or other account userids.

Phew.

Re:Scary-ish

Was the password correct? I am on the list as well, but the password is unknown to me.

Re:Scary-ish

[steelfood]

So are you saying your unique password was revealed along with your username? For curiosity sake, was it a strong password, or something an enhanced dictionary could attack?

Re:Scary-ish

[Torp]

I was wrong. This is NOT a leak of passwords from google accounts.
I checked my account on isleaked.com and it was NOT the google password, but the easily guessed password i use for accounts that I don't care about.
If your google password is unique, you're safe. If you reused it on low security sites... not so much.

Re:Scary-ish

I've been with gmail since you had to have an invite as well, I've also USED THE SAME PASSWORD for just as long (it's 16 characters from /dev/rand with some manual modifications to make it 1) legible and 2) commonly accepted as a valid password)

My email wasn't on the list, but I also don't use my 'master password' for anything but my email and tax accounts.

I think it comes down to understanding what a trustworth site is (of which, let's be honest, there are basically none - I 'trust' google, and I 'trust' my government - if the former is leaked, it's an inconvenience, of the latter is leaked - it's their fault and I'll be compensated for damages, and oddly I trusted facebook - I'm sure I'll come to regret this in time).

Every other site/service (namely games/steam/forums/etc) are all using an alternative username (online alias, not my real name like my email) and a completely different passphrase (it's a 67 character long joke that I'll never forget, with punctuation).

Re:But... but.... but... What about teh Appelzzzzz

[bigfinger76]

Has this resulted in one breached account? For all we know, this is just a list of email addresses. Need more evidence, like boobs.

How do we actually know?

[Sebastopol]

I could harvest 5m gmail names from google searches, and then publish them with bogus passwords and create panic. Is there some statistic that says how many of these were real passwords? Because wouldn't it be illegal to use them (accessing another person's account w/o their permission is a crime in the USA).

Seems like it would be easy to manufacture a lot of FUD by making these claims w/o really having any passwords at all, and no one could verify it?

Re:How do we actually know?

[YttriumOxide]

I could harvest 5m gmail names from google searches, and then publish them with bogus passwords and create panic. Is there some statistic that says how many of these were real passwords?

Statistics, probably not. But to confirm they're not just all made up, I checked a few of the ones that were obviously a password for another site (one of the '+' addresses) and after 4 tries, found one that worked (on the 'other site', not on gmail). So they're definitely not just 'made up' passwords; they just aren't necessarily a password that was ever actually used for the email address they're associated to.

Re:How do we actually know?

[i+ate+my+neighbour]

A sketchy service called isleaked.com allows you to query. I queried my email, and it replied "the first two characters of your password is ...." which was correct. However, it was not my gmail password, but a password I use in my unimportant accounts.

Re:How do we actually know?

[kat_skan]

Even if it's a hoax the sensible response doesn't really change. Change your password, enable 2FA and don't worry too much about whether it was FUD.

Re:How do we actually know?

Google says about 2% of them were current, valid 2% passwords. Obviously it's in their interest to downplay this, but it matches the general tone I've seen in the comments. I'd guess they came from other sites and the 2% what's left from password reuse after you account for the fact that some of the passwords are apparently really old.

Re:How do we actually know?

[Nyder]

I could harvest 5m gmail names from google searches, and then publish them with bogus passwords and create panic. Is there some statistic that says how many of these were real passwords? Because wouldn't it be illegal to use them (accessing another person's account w/o their permission is a crime in the USA).

Seems like it would be easy to manufacture a lot of FUD by making these claims w/o really having any passwords at all, and no one could verify it?

They had my email and an old password I used on it.

So while I am no one important, the list seems legit.

Re:How do we actually know?

I also used the same, but the first 2 characters shown for me is not even one of my throwaway passwords. Most likely junk. I got the list of leaked emails but it would be great if I can somehow see the password that was listed as well.

Check you address here

[bigjocker]

Use this page to check if your address is in the leaked database. I'm using the list (without passwords) that was published here in slashdot in the above comments. I'm not capturing the email addresses of the people using the tool:

https://bigjocker.com/qd/googl...

If you don't trust me (and I don't blame you), just download the file posted a few comments above this one and grep yourself:

ngranek@trantor:~/Downloads$ grep bigjocker google_5000000.txt
ngranek@trantor:~/Downloads$

Re:Check you address here

[John+Bokma]

Heh, my wife was asking about such a site, and like I explained to her: you really think that someone who has collected all this data is just handing it out for free? No, it's IMO just a small, probably outdated sample. Moreover, I wouldn't trust any site that allows me to check if I am on the list. This just confirms that such accounts are active or at least that someone cares enough about it to check it.

Re:Check you address here

[emotionus]

Wild cards work? partial matches?

Re:Check you address here

The google ads are a nice touch.

Not stolen from Google, leaked from another site

This isn't a gmail leak. My email address is on the list, so I downloaded the full document with passwords. The password that was leaked on my account was NEVER used for gmail, I only used the password for other "less trusted" sites.

Re:What's email?

[peragrin]

Who needs a pocket my computer displays on my contacts and blast audio through a bone phone.

Maybe a fraction of the actual list (and outdated)

[John+Bokma]

I guess this is just a small fraction of the actual list, because such a list has a value and why just handing it out for free? Releasing a fraction and seeing people going upset because they are on the list, and it's actually their password, however, increases the value of the actual list. Even more so if the actual list is more recent.

Re:But... but.... but... What about teh Appelzzzzz

[Noah+Haders]

did the icloud buzziness result in one breached account? no evidence of that. a lot of the nudie selfies were taken on sammy phones.

Re:But... but.... but... What about teh Appelzzzzz

[bigfinger76]

I neither know or care. It's just a bit early to try to stir the pudding here.

Re:What's email?

[jcoy42]

...sez the guy whose homepage is facebook.

Re:But... but.... but... What about teh Appelzzzzz

Except that you already did try to "stir the pudding."
 
Imagine that, a Slashdork being a stinking hypocrite.

Am I the only one?

[Russ1642]

A total surprise to me that my email address was on the list, and they had the current password. I changed that immediately and activated 2-factor authentication. So the next question is how did they get it? It's a unique string of random crap so it had to be intercepted rather than brute forced either with a malicious android app or, more likely, I signed in on a compromized computer. Anyone have any ideas?

Re:Am I the only one?

Unencrypted Wi-Fi?

Otherwise, if you connected on a random computer from friends/family, it's most likely they are infested with bad stuffs, with keyloggers/auto-MitM services...

Re:Am I the only one?

[Ronin+Developer]

Could easily have been malware, phishing site, or a compromised system.

If you still use the account, make sure you unlink everything from it, change your password and then enabled TFA.

Re:Am I the only one?

[mr_mischief]

Did you by any chance use the same unique string of random crap at some third-party site where you used your email address as a verification email?

Re:Am I the only one?

[swillden]

Most likely, you used the same password for another web site, with your gmail address as your contact e-mail.

Re:Am I the only one?

[Russ1642]

Most likely the two symbols that were shown on the isleaked website were also in a different password of mine and they never really had the proper Gmail password. I have no way of verifying this. However, I can say for certain that I've never used my Gmail password anywhere but Gmail. I have unique passwords for every single account I have on all websites. I use UPM as a password manager on my Android phone with a ridiculously long master password. I doubt it got hacked.

Re:Am I the only one?

At which point it is obvious to ask: Does the password line up with a site you've used? What site? You should advise that site they have likely been compromised.

Re:Am I the only one?

[celticmonkey]

I was surprised to see my email address on the list. Looking through my password manager, it looks like they have a simple password I stupidly re-used on eharmony and gigasize more than 3 years ago. (In fairness to those sites, I probably used the password elsewhere too, so they aren't necessarily the leak source.) I just hope a Russian hacker doesn't steal my soul mate on eharmony. (Unlikely?)

Re:Am I the only one?

Or they'll use your profile for the "foreign bride/groom" scam.

I very hapy for our love and cant wait to mit you. bUt i need moneys to leav country. Pleas send dollars im flying to your place very sun. Attached: me at nudist beach

Re:Am I the only one?

[strikethree]

Hm. None of the addresses that belong to me or anyone that I correspond with is in that list. If it was from a breach at Google, then they were stopped before they were able to access the entire list that Google has. My main is account has been around since gmail existed and it is not compromised.

Did you use shared passwords with ANY other site? That is the only method I can think of for them to have a list like this. I hope you were able to regain exclusive control over your account before anything bad happened.

Re:Am I the only one?

Maybe the Russkie Mafia exploited the OpenSSL Crap quite some time now ? Just because they did not tell you means little...

Now they release 5 of the 500 millions for some "effect" ? Ya know, some wars ongoing etc.

Re:Am I the only one?

I see Google has their spin doctors deployed...

Re:Am I the only one?

[PhilHibbs]

Where did you get the password list from?

Re:Am I the only one?

[swillden]

I see Google has their spin doctors deployed...

I see you haven't followed this story at all. There is zero evidence that any of this data came from Google, and plenty of evidence that it did not. For that matter, look at some of the /. comments. Several posters found their e-mail addresses and passwords... and they were not passwords used on gmail.

Re:OKthere

Which doesn't give you a file, just prompts you to install malware.

Yowsers

I'm on that list! Definitely not my current password but definitely a password I use elsewhere (USED!). I wonder if this was taken via another account that links to my email address. Big humongous props and thanks to people who found it and made the sites to check it. I'll miss that password though. It was a nice throwaway that's second nature for me to type now.

Re:OKthere

If this link prompts you to install malware, you probably should check your PC and/or ISP for browser hijacks.

Opens proper Mega's site with Mega's SSL cert and google_5000000.7z (28.7Mb) download. 7z contains a plain text file.

Re:What's email?

[Triklyn]

hah, the optic nerve is SO last gen. my I.queue directly stimulates my visual and aural cortices.

In the USA we pay to receive texts

[tepples]

Cellular subscribers in the United States who do not pay per month for unlimited SMS have to pay for each outgoing and incoming message. So unless I'm severely misunderstanding something, I'd have to pay my cell phone provider 20 cents every time I want to log in to any Google service. Is there something cheaper?

Re:In the USA we pay to receive texts

[Specter]

You can install the Google Authenticator app; it requires no data connection after you set it up.

J

Re:In the USA we pay to receive texts

Any way to do this 2FA without a phone?

Re:In the USA we pay to receive texts

[sh00z]

You can download a list of single-use codes you can use instead of SMS. Of course, if you print the list and put it in your wallet, there's a path to compromise the security.

Re:In the USA we pay to receive texts

[tepples]

I assume buy a tablet and install Google Authenticator on the tablet.

Re:What's email?

[WillAffleckUW]

My point stands

Re:What's email?

[disambiguated]

How quaint. When I need to know something, my computer travels back in time and alters history so that I always knew it.

not only Gmail = no Gmail compromise, but Windows'

Not only Gmail passowrds. Gmail is singled out just because it is popular most of the passwords are from it.
Therefore Gmail/Google were NOT compromised.

As usual, shitty Windows was compromised and passwords were spied on.

Search engine

[DrYak]

(and still is if you hunt around a bit - I found it without too much trouble).

What search engine were you using to locate it?
I'm sure it won't show up on google's search results.

(Or other pointers on how to get the list with passwords ?)

Re:Search engine

there's a link on reddit to the google cache for the piratebay torrent.

Not hacked?

I don't see either one of my e-mail accounts on there.

Thankfully I use 2SA just incase.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:What's email?

As the Doctor uses pockets, and is quite proud of them, we can be assured that they'll stay useful till the end of time.

friendster? what.

i laughed when i saw friendster in the top 10

it makes me think about a recent discovery (The Onion)

Reddit deletion

[DrYak]

Reddit comments are being actively deleted.
Luckily, Google hasn't blacklisted the piratebay cache, yet.

checking.... Nope. None of my password is in there.
Will pass the file around for my friends to check theirs.

Re:Reddit deletion

Reddit comments are being actively deleted.
Luckily, Google hasn't blacklisted the piratebay cache, yet.

checking.... Nope. None of my password is in there.
Will pass the file around for my friends to check theirs.

CAn you please upload the list to piratebay? I cant find it anywhere..!!

Gee and me with all that Cialis spam

[gelfling]

Oh no, what will I do?

Re:America did this

Not funny at all. Capitalists love their own brand of communism, benefit from it, support it, make money off of it, and mandate it
when it is the most profitable choice.

They are not opposites. Communism is something "capitalists" leverage and utilize when it suits them.

Private property and never-ending billion-dollar taxpayer-funded bailouts and communism for those on top,
the "free market" and "capitalism" for everyone else. The "capitalists'" favorite plan, and it always works on idiots like you:

Parent is a troll or young and naive. Ideologies are practically always complementary. You will never get anyone on board.
The goal is to get yourself in power, not to change anything. It doesn't matter what people pretend to believe, what matters
is you are on top and they are not. Who cares if you call yourself a communist or a capitalist? Thoes are little kid's theories
who have no clue.

People in power divide and conquer, nothing amazing
or surprising or revolutionary about that.

Hook, line, and sinker AC. Way to be a moron.

They could not care less what system you think you live in, it is simply "what can we call things to keep you so you don't
kill us?" Some places you call it "communism" and you stay in power, other places you deceive people and tell
them they have a "free market" as you loot from them left and right endlessly.

Parent is pathetic, but you are just doing an ad hominem.

Refute what they actually said, affirm their points, offer something new, or shut the fuck up please.

Your "goto" is old and pathetic. You are just aiding communism with your tripe.

They "goto" gether you fucking brainwashed moron.

5 million Gmail Passwords

Are we expecting some Android celebs nudes? There must be some in there.

How did they get it?

Was surprised to see my email on the list with the right password. I have never used the password on any other site (except of course on my android phone).

Isleaked.com suspicious at best

Isleaked.com domain was registered before the first post to russian bitcoin site. The list was first published on Tuesday but this domain (isleaked.com) was registered on Monday at 07:32:34 Zulu. The site is behind cloudflare which does log information about each access. The entity behind the isleaked.com site would have to purge their logs on cloudflare even if their servers don't log accesses or worse POST queries.

Low

It says passwords for two of my accounts were leaked.

However the "first two symbols of the password" are WAY OFF.

I wonder if they brute-forced and somehow ended up with some completely different passwords which collided with the hash of my actual passwords. What would even be the odds of that?

Very, very low. Even if it was an MD5 checksum and your password was in the ballpark of 20 characters or so. At least that's my layman understanding. I've never been terribly great at math, so take it with a grain of salt (see what I did there? It's a cryptography pun, but I guarantee it wasn't intentional).

Can anyone with the maths confirm?

I think passwords were collected from elsewhere

[gaspyy]

I found one of my Gmail accounts in the list - the one I usually use when asked on forums and such. Using https://isleaked.com/results/e... I saw that the password leaked is not the actual gmail password, but the password I use when signing up on non-important sites, including Slashdot.

I'm quite sure the email+password was collected from another site, can't be sure which one.

Re:I think passwords were collected from elsewhere

I found one of my extended gmail addresses in the list. The site that leaked it is called "freebiejeebies". I always strive to give my address as basename+sitename@gmail.com. Most spammers don't clear the extension as far as I can tell. That's how I know Orange UK leaked my address at some point too. I hate people who insist the plus sign is illegal. I would love an email account that provides unlimited aliases (looks like Yahoo Mail does this, but you have to choose a prefix that stick to you for live - you can't release it).

Android App to quickly check your email address

I just build an Android App (Hack Alert) to quickly check if your email address is in the list. I just published it, so you might have to wait a few minutes to get it.

I'm thinking to extend the App for future events like this, with real time notifications, the only issue, is how do I get good data?

https://play.google.com/store/apps/details?id=com.zeropii.hackalert

complete list of hacked gmail passwords here

visit http://crackomania.blogspot.com/ to get the complete list of GMAIL accounts which have been hacked.

Does Google store passwords?

[PhilHibbs]

I'm guessing that if this really is a list of Google accounts and passwords, that they got it from somewhere other than Google. As far as I know, Google doesn't store passwords, they store salted hashes of passwords.

For god's sake.

Anyone in their right mind wouldnt go to a website to check if their email has been leaked, id change my password regardless of whether it has or has not been leaked.

Re:What's email?

[bingoUV]

Ahh, you guys are funny. Time travelling from 18th century, but pretending to be time travelling from 23rd century. Go and check actual 21st century and you will weep.

OK

Original source: https://forum.btcsec.com/index.php?/topic/9426-gmail-meniai-parol/

OMG my account was hacked!

I found out at www.gmailleak.com. Check yours before it's too late!

searchable online tool

Check out http://www.askingeasy.com/check-if-my-email-is-leaked to see if your email is in the leak.

Changing passwords / creating passwords

[LinuxLuver]

I change my Gmail password at least every 3 months. I never use the same password twice, though I do use the same 'formula" to compose the passwords other than my Gmail account. For my primary Gmail account, I don't use the formula. So if you hack my primary Gmail account, you can't get into my backup / recovery account easily...or vice-versa. This is easy to do and you don't need a powerful memory. Just a meta-memory.

677

[samcastler]

My son once did http://generatoronline.net/pas... site to create strong passwords.. Try it, maybe today it will be a useful thing.

Rejected from Piratebay

[DrYak]

Can you please upload the list to piratebay? I cant find it anywhere..!!

It was alread *rejected* from pirate bay.
Look around for "10 millions emails yandex mailru gmail w passwords 2014".
It might still be in some cache (that's where I found it).
And it starts poping up around on other tracker.