Slashdot Mirror

← Back to Stories (view on slashdot.org)

5 Million Gmail Passwords Leaked, Google Says No Evidence Of Compromise

Posted by samzenpus on from the big-list dept.

kierny writes After first appearing on multiple Russian cybercrime boards, a list of 5 million Google account usernames — which of course double as email usernames — are circulating via file-sharing sites. Experts say the information most likely didn't result from a hack of any given site, including Google, but was rather amassed over time, likely via a number of hacks of smaller sites, as well as via malware infections. Numerous commenters who have found their email addresses included in the list of exposed credentials say the included password appears to date from at least three years ago, if not longer. That means anyone who's changed their Google/Gmail password in the last three years is likely safe from account takeover.

14 of 203 comments (clear)

  1. OK by YrWrstNtmr · · Score: 4, Interesting

    So where do we go to find the actual "list of exposed credentials" ?

    1. Re:OK by Anonymous Coward · · Score: 5, Informative

      https://mega.co.nz/#!6hYWVIyI!vrrDuv3s3ZbMiobnv0sYFdIOsudQ44-oDobLInq00ls

      just the usernames, not the passwords.

    2. Re:OK by TACD · · Score: 5, Informative

      The list of email addresses (without passwords) is at https://mega.co.nz/#!rgFDDRSD!...

      --
      Security through promiscuity is no better than security through obscurity.
    3. Re:OK by Anonymous Coward · · Score: 5, Informative

      I'm not sure where the list is available, but you can check if you are on the list here

    4. Re:OK by Richy_T · · Score: 5, Funny

      Maybe someone should just do a courtesy mass-mailing based on the list.

    5. Re: OK by Anonymous Coward · · Score: 5, Funny

      With typing skills like that how the fuck do you ever type your password correctly? :)

  2. Apple needs to be held accountable... by frnic · · Score: 4, Funny

    Their security is deplorable and Apple should be legally responsible for any losses people incur as a result of this!

  3. Two factor authentication time! by slk · · Score: 5, Informative

    Google offers 2FA for free, labled as "2-step authentication". Setup takes about 3 minutes, hassle on known devices is roughly zero, and it makes these attacks irrelevent. Can do SMS, Authenticator app, etc.

    --
    ERROR: Null .sig, core dumped.
    1. Re:Two factor authentication time! by peragrin · · Score: 4, Informative

      Except google has a policy for that an can give you a one step password for the particular device.

      --
      i thought once I was found, but it was only a dream.
  4. Probably a few sites were hacked by stewsters · · Score: 5, Informative

    With a gmail account anything after a plus is ignored. You can then use username+serviceName@gmail.com to denote what service you are on. It looks like some people did this, and seems like these credentials are stolen from a few different sites. Here are the most popular after plus endings from the 5 mill:

    xtube : 176
    daz : 133
    1 : 125
    filedropper : 88
    daz3d : 66
    eharmony : 64
    friendster : 63
    savage : 62
    2 : 60
    spam : 57
    bioware : 54
    savage2 : 52
    bryce : 51
    hon : 40
    freebiejeebies : 32
    3 : 28
    eh : 27
    4 : 25
    policeauctions : 19
    bravenet : 18
    filesavr : 18

    1. Re:Probably a few sites were hacked by brunes69 · · Score: 5, Informative

      Yep. In fact the more you look at the data the more it looks like Google was not hacked at all and these accounts were collected from elsewhere, then perhaps verified against Google.

    2. Re:Probably a few sites were hacked by malakai · · Score: 4, Informative

      Can confirm. the password it had for one on my Gmail account e-mails was a password I use on 'throw away' websites. Think phpBB and the like. I never used this password on my GMail, or any account I cared about.

      I checked two other g-mail accounts that I primarily use for work, and neither were on the list.

      I'm going to say some of these are just harvested from old phpBB exploits. Sometimes I would use my throw away password for things I considered useless, like twitter and the like. So I guess it's possible it came from a bigger leak, that was deemed unworthy by me for enhanced security.

      Also, many of my primary passwords have the website initials built into it. Like "sdblahblahblah" for slashdot. The password in the leak was not from any of my main primary sites ( amex, citibank, google, /., networking/dns sites, AWS, amazon, etc...).

      --
      -Malakai
      A Dragon Lives in my Garage
  5. Maybe a fraction of the actual list (and outdated) by John+Bokma · · Score: 4, Interesting

    I guess this is just a small fraction of the actual list, because such a list has a value and why just handing it out for free? Releasing a fraction and seeing people going upset because they are on the list, and it's actually their password, however, increases the value of the actual list. Even more so if the actual list is more recent.

    --

    Perl Programmer for hire
  6. Am I the only one? by Russ1642 · · Score: 4, Interesting

    A total surprise to me that my email address was on the list, and they had the current password. I changed that immediately and activated 2-factor authentication. So the next question is how did they get it? It's a unique string of random crap so it had to be intercepted rather than brute forced either with a malicious android app or, more likely, I signed in on a compromized computer. Anyone have any ideas?