5 Million Gmail Passwords Leaked, Google Says No Evidence Of Compromise

kierny writes After first appearing on multiple Russian cybercrime boards, a list of 5 million Google account usernames — which of course double as email usernames — are circulating via file-sharing sites. Experts say the information most likely didn't result from a hack of any given site, including Google, but was rather amassed over time, likely via a number of hacks of smaller sites, as well as via malware infections. Numerous commenters who have found their email addresses included in the list of exposed credentials say the included password appears to date from at least three years ago, if not longer. That means anyone who's changed their Google/Gmail password in the last three years is likely safe from account takeover.

Re:OK

https://mega.co.nz/#!6hYWVIyI!vrrDuv3s3ZbMiobnv0sYFdIOsudQ44-oDobLInq00ls

just the usernames, not the passwords.

Re:OK

[TACD]

The list of email addresses (without passwords) is at https://mega.co.nz/#!rgFDDRSD!...

Re:OK

I'm not sure where the list is available, but you can check if you are on the list here

Two factor authentication time!

[slk]

Google offers 2FA for free, labled as "2-step authentication". Setup takes about 3 minutes, hassle on known devices is roughly zero, and it makes these attacks irrelevent. Can do SMS, Authenticator app, etc.

Re:Two factor authentication time!

[peragrin]

Except google has a policy for that an can give you a one step password for the particular device.

Probably a few sites were hacked

[stewsters]

With a gmail account anything after a plus is ignored. You can then use username+serviceName@gmail.com to denote what service you are on. It looks like some people did this, and seems like these credentials are stolen from a few different sites. Here are the most popular after plus endings from the 5 mill:

xtube : 176
daz : 133
1 : 125
filedropper : 88
daz3d : 66
eharmony : 64
friendster : 63
savage : 62
2 : 60
spam : 57
bioware : 54
savage2 : 52
bryce : 51
hon : 40
freebiejeebies : 32
3 : 28
eh : 27
4 : 25
policeauctions : 19
bravenet : 18
filesavr : 18

Re:Probably a few sites were hacked

[brunes69]

Yep. In fact the more you look at the data the more it looks like Google was not hacked at all and these accounts were collected from elsewhere, then perhaps verified against Google.

Re:Probably a few sites were hacked

[malakai]

Can confirm. the password it had for one on my Gmail account e-mails was a password I use on 'throw away' websites. Think phpBB and the like. I never used this password on my GMail, or any account I cared about.

I checked two other g-mail accounts that I primarily use for work, and neither were on the list.

I'm going to say some of these are just harvested from old phpBB exploits. Sometimes I would use my throw away password for things I considered useless, like twitter and the like. So I guess it's possible it came from a bigger leak, that was deemed unworthy by me for enhanced security.

Also, many of my primary passwords have the website initials built into it. Like "sdblahblahblah" for slashdot. The password in the leak was not from any of my main primary sites ( amex, citibank, google, /., networking/dns sites, AWS, amazon, etc...).

Re:OK

One of my accounts is listed, but the password is really old (6+ years) according to the hint from https://isleaked.com/en.php

Check you address here

[bigjocker]

Use this page to check if your address is in the leaked database. I'm using the list (without passwords) that was published here in slashdot in the above comments. I'm not capturing the email addresses of the people using the tool:

https://bigjocker.com/qd/googl...

If you don't trust me (and I don't blame you), just download the file posted a few comments above this one and grep yourself:

ngranek@trantor:~/Downloads$ grep bigjocker google_5000000.txt
ngranek@trantor:~/Downloads$

Re:What's email?

[jcoy42]

...sez the guy whose homepage is facebook.