5 Million Gmail Passwords Leaked, Google Says No Evidence Of Compromise

kierny writes After first appearing on multiple Russian cybercrime boards, a list of 5 million Google account usernames — which of course double as email usernames — are circulating via file-sharing sites. Experts say the information most likely didn't result from a hack of any given site, including Google, but was rather amassed over time, likely via a number of hacks of smaller sites, as well as via malware infections. Numerous commenters who have found their email addresses included in the list of exposed credentials say the included password appears to date from at least three years ago, if not longer. That means anyone who's changed their Google/Gmail password in the last three years is likely safe from account takeover.

OK

[YrWrstNtmr]

So where do we go to find the actual "list of exposed credentials" ?

Re:OK

https://mega.co.nz/#!6hYWVIyI!vrrDuv3s3ZbMiobnv0sYFdIOsudQ44-oDobLInq00ls

just the usernames, not the passwords.

Re:OK

[TACD]

The list of email addresses (without passwords) is at https://mega.co.nz/#!rgFDDRSD!...

Re:OK

I'm not sure where the list is available, but you can check if you are on the list here

Re:OK

[Richy_T]

Maybe someone should just do a courtesy mass-mailing based on the list.

Re:OK

some of the accounts are also on this 2012 list:

https://dazzlepod.com/digitalplayground/?page=50

i searched for a few, found some, couldn't find others - so this new list may be a compilation of other lists, or a continuation of the old one.

Re:OK

[2fuf]

hunter7

Re:OK

[PIBM]

Really ?? I don't even remember using that password somewhere, and I confirm I never used that on well known and large site.

Thank you BTW

Re:OK

One of my accounts is listed, but the password is really old (6+ years) according to the hint from https://isleaked.com/en.php

Re: OK

With typing skills like that how the fuck do you ever type your password correctly? :)

Re:OK

[Mashiki]

This account(and the publicly facing email address) is on the list new list, but not the old one. Except that the password listed is over 2 years old, feel free to look. So it makes me wonder where the pass was pulled from, if someone wants to try and figure it out that should be interesting. The only other places I've logged in from with this email address were in Florida via Brighthouse , and Nothern Alberta via bell wifi(rockethub). I have three other email addresses that I use, but none of them are on the list. But I've used this account and others on the same machines.

That makes me believe that some data was pulled, but it may be old--or compiled from elsewhere.

Re:OK

[Mashiki]

Oh and I should toss in that this email address is/was only used on three sites. DSLReports, PWE(since moved to another account roughly 1 year ago), and Slashdot. But none of these sites used the same password as the email address.

2 factor auth?

Interesting how that seems pretty close to when google enabled the 2 factor auth?

Apple needs to be held accountable...

[frnic]

Their security is deplorable and Apple should be legally responsible for any losses people incur as a result of this!

Quickly, change the password...

From 123456 to abc123. There, I'm safe from Soviet hackers now.

Two factor authentication time!

[slk]

Google offers 2FA for free, labled as "2-step authentication". Setup takes about 3 minutes, hassle on known devices is roughly zero, and it makes these attacks irrelevent. Can do SMS, Authenticator app, etc.

Re:Two factor authentication time!

[peragrin]

Except google has a policy for that an can give you a one step password for the particular device.

Re:Two factor authentication time!

[DMUTPeregrine]

No, it's a separate password for the same account. You can set it to expire or not, as you choose. Cookies aren't involved.

Re:Not Listed

[Halifax+Samuels]

None of my accounts are listed, and I've had two of them since it was invite-only as well. I also used the same simple password for both of them and dozens of other sites for many years because, honestly, I just don't care that much. Whether you're on the list or not doesn't seem to be related to your password.

Probably a few sites were hacked

[stewsters]

With a gmail account anything after a plus is ignored. You can then use username+serviceName@gmail.com to denote what service you are on. It looks like some people did this, and seems like these credentials are stolen from a few different sites. Here are the most popular after plus endings from the 5 mill:

xtube : 176
daz : 133
1 : 125
filedropper : 88
daz3d : 66
eharmony : 64
friendster : 63
savage : 62
2 : 60
spam : 57
bioware : 54
savage2 : 52
bryce : 51
hon : 40
freebiejeebies : 32
3 : 28
eh : 27
4 : 25
policeauctions : 19
bravenet : 18
filesavr : 18

Re:Probably a few sites were hacked

[brunes69]

Yep. In fact the more you look at the data the more it looks like Google was not hacked at all and these accounts were collected from elsewhere, then perhaps verified against Google.

Re:Probably a few sites were hacked

[malakai]

Can confirm. the password it had for one on my Gmail account e-mails was a password I use on 'throw away' websites. Think phpBB and the like. I never used this password on my GMail, or any account I cared about.

I checked two other g-mail accounts that I primarily use for work, and neither were on the list.

I'm going to say some of these are just harvested from old phpBB exploits. Sometimes I would use my throw away password for things I considered useless, like twitter and the like. So I guess it's possible it came from a bigger leak, that was deemed unworthy by me for enhanced security.

Also, many of my primary passwords have the website initials built into it. Like "sdblahblahblah" for slashdot. The password in the leak was not from any of my main primary sites ( amex, citibank, google, /., networking/dns sites, AWS, amazon, etc...).

Re:Probably a few sites were hacked

[Yaur]

The password they have for me was from the linkedin breach.

How do we actually know?

[Sebastopol]

I could harvest 5m gmail names from google searches, and then publish them with bogus passwords and create panic. Is there some statistic that says how many of these were real passwords? Because wouldn't it be illegal to use them (accessing another person's account w/o their permission is a crime in the USA).

Seems like it would be easy to manufacture a lot of FUD by making these claims w/o really having any passwords at all, and no one could verify it?

Re:How do we actually know?

[YttriumOxide]

I could harvest 5m gmail names from google searches, and then publish them with bogus passwords and create panic. Is there some statistic that says how many of these were real passwords?

Statistics, probably not. But to confirm they're not just all made up, I checked a few of the ones that were obviously a password for another site (one of the '+' addresses) and after 4 tries, found one that worked (on the 'other site', not on gmail). So they're definitely not just 'made up' passwords; they just aren't necessarily a password that was ever actually used for the email address they're associated to.

Check you address here

[bigjocker]

Use this page to check if your address is in the leaked database. I'm using the list (without passwords) that was published here in slashdot in the above comments. I'm not capturing the email addresses of the people using the tool:

https://bigjocker.com/qd/googl...

If you don't trust me (and I don't blame you), just download the file posted a few comments above this one and grep yourself:

ngranek@trantor:~/Downloads$ grep bigjocker google_5000000.txt
ngranek@trantor:~/Downloads$

Maybe a fraction of the actual list (and outdated)

[John+Bokma]

I guess this is just a small fraction of the actual list, because such a list has a value and why just handing it out for free? Releasing a fraction and seeing people going upset because they are on the list, and it's actually their password, however, increases the value of the actual list. Even more so if the actual list is more recent.

Re:What's email?

[jcoy42]

...sez the guy whose homepage is facebook.

Am I the only one?

[Russ1642]

A total surprise to me that my email address was on the list, and they had the current password. I changed that immediately and activated 2-factor authentication. So the next question is how did they get it? It's a unique string of random crap so it had to be intercepted rather than brute forced either with a malicious android app or, more likely, I signed in on a compromized computer. Anyone have any ideas?

Re:Am I the only one?

[Russ1642]

Most likely the two symbols that were shown on the isleaked website were also in a different password of mine and they never really had the proper Gmail password. I have no way of verifying this. However, I can say for certain that I've never used my Gmail password anywhere but Gmail. I have unique passwords for every single account I have on all websites. I use UPM as a password manager on my Android phone with a ridiculously long master password. I doubt it got hacked.

Re:Scary-ish

[Torp]

I was wrong. This is NOT a leak of passwords from google accounts.
I checked my account on isleaked.com and it was NOT the google password, but the easily guessed password i use for accounts that I don't care about.
If your google password is unique, you're safe. If you reused it on low security sites... not so much.