5 Million Gmail Passwords Leaked, Google Says No Evidence Of Compromise

← Back to Stories (view on slashdot.org)

5 Million Gmail Passwords Leaked, Google Says No Evidence Of Compromise

Posted by samzenpus on Wednesday September 10, 2014 @05:55AM from the big-list dept.

kierny writes After first appearing on multiple Russian cybercrime boards, a list of 5 million Google account usernames — which of course double as email usernames — are circulating via file-sharing sites. Experts say the information most likely didn't result from a hack of any given site, including Google, but was rather amassed over time, likely via a number of hacks of smaller sites, as well as via malware infections. Numerous commenters who have found their email addresses included in the list of exposed credentials say the included password appears to date from at least three years ago, if not longer. That means anyone who's changed their Google/Gmail password in the last three years is likely safe from account takeover.

8 of 203 comments (clear)

Min score:

Reason:

Sort:

Re:OK by Anonymous Coward · 2014-09-10 06:09 · Score: 5, Informative

https://mega.co.nz/#!6hYWVIyI!vrrDuv3s3ZbMiobnv0sYFdIOsudQ44-oDobLInq00ls
just the usernames, not the passwords.
Re:OK by TACD · 2014-09-10 06:10 · Score: 5, Informative

The list of email addresses (without passwords) is at https://mega.co.nz/#!rgFDDRSD!...

--
Security through promiscuity is no better than security through obscurity.
Re:OK by Anonymous Coward · 2014-09-10 06:10 · Score: 5, Informative

I'm not sure where the list is available, but you can check if you are on the list here
Re:OK by Richy_T · 2014-09-10 06:19 · Score: 5, Funny

Maybe someone should just do a courtesy mass-mailing based on the list.
Two factor authentication time! by slk · 2014-09-10 06:22 · Score: 5, Informative

Google offers 2FA for free, labled as "2-step authentication". Setup takes about 3 minutes, hassle on known devices is roughly zero, and it makes these attacks irrelevent. Can do SMS, Authenticator app, etc.

--
ERROR: Null .sig, core dumped.
Probably a few sites were hacked by stewsters · 2014-09-10 06:42 · Score: 5, Informative

With a gmail account anything after a plus is ignored. You can then use username+serviceName@gmail.com to denote what service you are on. It looks like some people did this, and seems like these credentials are stolen from a few different sites. Here are the most popular after plus endings from the 5 mill:

xtube : 176
daz : 133
1 : 125
filedropper : 88
daz3d : 66
eharmony : 64
friendster : 63
savage : 62
2 : 60
spam : 57
bioware : 54
savage2 : 52
bryce : 51
hon : 40
freebiejeebies : 32
3 : 28
eh : 27
4 : 25
policeauctions : 19
bravenet : 18
filesavr : 18
1. Re:Probably a few sites were hacked by brunes69 · 2014-09-10 06:44 · Score: 5, Informative
  
  Yep. In fact the more you look at the data the more it looks like Google was not hacked at all and these accounts were collected from elsewhere, then perhaps verified against Google.
Re: OK by Anonymous Coward · 2014-09-10 08:36 · Score: 5, Funny

With typing skills like that how the fuck do you ever type your password correctly? :)