back to article Leak of '5 MEELLLION Gmail passwords' creates security flap

Plain-text passwords and account names linked to five million Gmail accounts have been leaked onto several Russian forums. Security experts had already confirmed the data seemed legit, albeit approximately three years old, before Google put up its blog post on the subject. The leak, to a variety of forums, not all of which …

  1. Buzzword

    Not my GMail password

    They have my GMail address, but not a password that I ever used with the service. They have a low-entropy easy-to-type password that I regularly use for one-off sign-ups on sites that I couldn't care less about. Unfortunately that doesn't help narrow down the source of the leak, other than to exclude Google themselves.

    1. Sebastian Brosig

      Re: Not my GMail password

      since the password file is out there couldn't Google download it, check the passwords' validity, and email / SMS anyone whose actual password has been leaked?

      Am I wrong in thinking there should be no risk with that, other than the Google staffer searching for the relevant torrent being exposed to some "23 hot women near you want to date you tonight"-style links? (*blush* )

      1. Camilla Smythe

        Re: Not my GMail password

        Silly as it may seem, and I am not known to be particularly intelligent, I would assume that Google does not 'know' the passwords... salted cashews and such stuff. If they did download the file then in order to check for compromised accounts they would have to use the information to see if they could log in to the accounts and that might put them on the wrong side of the law. Of course assuming these are accounts that Google regularly sniffs the data from to spaff adverts at people then things possibly become even sillier. Anyway, as suggested, they might find themselves charged with doing something nefarious. Errr, pass the paracetamol.

        1. Anthony 13

          Re: Not my GMail password

          Yes they have checked - via Ars - http://googleonlinesecurity.blogspot.co.uk/2014/09/cleaning-up-after-password-dumps.html

          "We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords."

        2. Lionel Baden

          Re: Not my GMail password

          regardless if they know the password or not, any gmail address on the list, should be informed their password was leaked at some point.

          it would be nice to know if I were on it.

          1. Cliff

            Re: Not my GMail password

            I was concerned for a moment then remembered 2FA, I've plenty of time to update my password if it appears to have been compromised

            1. M. B.

              Re: Not my GMail password

              I was concerned as well when I saw this. I had a couple "failed login attempts" from somewhere in northern Nevada a few months back and I used Keypass to generate a strong random password and enabled two-factor. Also did same for Windows Live and Apple ID, and proceeded to generate random Keypass passwords for any sites using my Gmail account as a login. Now I just want my financial institutions to all offer the same.

          2. Dave Bell

            Re: Not my GMail password

            I'd agree that something might be at risk if you didn't know you were on the list.

            I suspect some confusion between the actual Gmail account, and accounts on other sites which use email address and password as login credentials. You can expect a site username to be a little less open than an email address, but I know of some significant (if not hugely sensitive) accounts which require an email address. I have to use that for the repeat prescription service offered by my GP.

            Bu I don't publish my Gmail address. I redirect email through my personal domain name, to read through Gmail, and so my public email addresses don't have an obvious link to Gmail.

            I set this up a long time ago and, while I am certainly a little worried about this, I don't feel vulnerable. I do have the feeling that conclusions have been enthusiastically jumped to.

            I am more worried about how easy it is to find the answers to common "security" questions.

        3. Timmay

          @ Camilla Smythe

          Just sprinkle hash and salt and whatever on the stolen plaintext passwords, and compare to the hashed values in the database. You don't need to know the plaintext password in the database to be able to compare it to the "stolen" one.

          Probably.

        4. Adam 1

          Re: Not my GMail password

          >I would assume that Google does not 'know' the passwords... salted cashews and such stuff.

          You're right that they won't know the passwords in their database, but they can perform a match between the hashed password and what they stored. If they couldn't then it should be self evident that they also couldn't validate your credentials when you visited their website.

  2. nigel 15

    The list

    Being as i do come from the geographical area of england i would like to see the list, to see if i'm on it.

    seems reasonable to me.

    1. SuperNintendoChalmers

      Re: The list

      Nigel, you can if your address was on the list https://haveibeenpwned.com/.

      It's run by a guy called Troy Hunt http://www.troyhunt.com/ an Aussie security person.

      1. Lionel Baden

        Re: The list

        Brilliant.

        Many thanks

      2. Alistair
        Meh

        Re: The list

        Handy link there SNC

        I'm not on the list, but the account I set up for the 8 year old is on the list. I'll have to go find the actual list and see if it has the (one) password I stuffed on it 3 months before he was born.

        I find it hard to believe they "cracked" that one, its not something rational. Nor am I most days.

      3. A. Coatsworth Silver badge
        Happy

        Re: The list

        Thanks, Supernintendo!

        although, to be frank when I put my email into a site called "have I been pwned", I half expected the result would be: "well, you have been now, mate!"

  3. Neil Barnes Silver badge

    Logged into gmail for the first time in a year

    And found nothing other than offers for pizza, different pizza, and for some reason I don't understand, tea.

    Changed the password anyway.

    1. Dazed and Confused
      Happy

      Re: Logged into gmail for the first time in a year

      > and for some reason I don't understand, tea.

      Is tea the new Viagra?

      Funny, I thought tea was the alternative to needing that.

  4. ByeLaw101

    Small mistake in article?

    "and a move towards multi-user authentication is required"

    Do you mean

    "and a move towards multi-factor authentication is required"

    1. h4rm0ny

      Re: Small mistake in article?

      Well with a leaked database, it could be multi-user...

    2. Vociferous

      Re: Small mistake in article?

      > "a move towards multi-factor authentication is required"

      Google already uses two factor, and it's a royal pain in the behind. I have 2-3 real accounts which actually matter, the rest are throwaway accounts, and I do not need secure throwaway accounts.

      I'm not sure why everyone wants to pretend that all accounts are vital and important, when it's so blatantly obvious that all of us have dozens upon dozens of junk accounts we really couldn't care less if they are hacked.

      1. Selden

        Re: Small mistake in article?

        @Vociferous : I must strongly disagree about Google's 2SV being a royal pain in the behind. Once 2SV is set up, it's completely transparent. The knowledge that I will get an alert if someone does manage to crack my Google password, *and* that the perp won't be able to anything with it without the verification code sent to my phone lets me sleep much easier.

  5. Conrad Longmore

    You can check..

    You can check if your password is in the list using https://isleaked.com/en

    1. Potemkine Silver badge

      Re: You can check..

      Before going to that site, ask yourself, who are these guys, and can I trust them?

  6. Doodling along

    Multi-user authentication?

    What is that then?

    1. Anonymous Coward
      Anonymous Coward

      Re: Multi-user authentication?

      Needs two people to log into your account. Simple!

      1. Lionel Baden

        Re: Multi-user authentication?

        You mean like Myself and the NSA ?

        1. Anonymous Coward
          Anonymous Coward

          Re: Multi-user authentication?

          No, the NSA don't need a password to login.

          1. Dazed and Confused

            Re: Multi-user authentication?

            > No, the NSA don't need a password to login.

            But they insist on knowing anyway. You're not even allowed to keep that secret

    2. Anonymous Coward
      Anonymous Coward

      Re: Multi-user authentication?

      Yet another feature that VMS had about 30 years ago.

      And if I'm not mistaken it was there on mainframes before that.

      It's where you need two people to enter different passwords to get into the account that has the super sekrit blueprints.

      Or payroll.

      1. r00ty

        Re: Multi-user authentication?

        Turn both keys. At the same time?

        1. You have not yet created a handle
          Thumb Up

          Re: Multi-user authentication?

          @r00ty

          Exactly what I was thinking.. The problem with Multi-user authentication is it only takes a bottle of whiskey and a load of string to break it

  7. Anonymous Coward
    Anonymous Coward

    Primarily [linked to the] geographical catchment area [of] the United States and England,

    So how does that work then? How can you tell where a gmail.com account user is based without having more details? Did the hackers enter the accounts one by one and discard those where the user had selected a non US/UK or possibly DK location? Does google keep your details on different servers based on where you claim to live? Or maybe the accounts are even older and from the time when you had to be invited to have a gmail account and would more likely be a US based user? All sounds rather odd.

    1. This post has been deleted by its author

    2. Tom 7

      Re: Primarily [linked to the] geographical catchment area [of] the United States and England,

      I'd imagine someone got onto a server and did '

      'Select * from IDDATABASE WHERE USER_LOCATION IN (the money);" or thereabouts so they could get away with a usb stickload of info rather than waiting a long time for the full table (s) to download.

    3. Andy Livingstone

      Re: Primarily [linked to the] geographical catchment area [of] the United States and England,

      Not really affected by the looks of it. I'm in the UK, but not in England.

  8. WonkoTheSane
    Happy

    Lucky me

    These are all *@gmail.com usernames. I've always dismissed the "Convert your googlemail.com address to gmail.com" popup box.

  9. Winkypop Silver badge
    Joke

    Awwww

    How come I never make these lists?

    1. Anonymous Coward
      Anonymous Coward

      Re: Awwww

      Bet you also get letters from Readers Digest saying that you haven't been entered in their prize draw.

  10. Eugene Crosser

    And here is why they did it:

    • Dump purported leaked passwords (but really just junk), publicise the move.
    • People hear about it, and rush to update their passwords.
    • Run DNS poisoning attack against mail relays
    • Intercept password reset links, and use them to hijack accounts
    • Profit!

  11. hi_robb

    Interesting

    I had a text from Google last week to say someone had tried to log in to my account and they'd stopped it as it looked suspicious. I Had to change the password.

    I wonder if this is the reason?

    D

    1. Selden

      Re: Interesting

      @hi_robb : Maybe yes, maybe no. It is not unknown for phishers to send fake e-mails that look to be communications from Google, but are not. Check the message headers to verify authenticity.

      https://support.google.com/mail/answer/8253?hl=en

  12. Rob

    Related

    I wonder if this is related to someone trying to reset my password for FB this morning. Thankfully my gmail has 2FA so won't rush into a blind panic to reset my password.

  13. Anonymous Coward
    Anonymous Coward

    "...the United States and England"

    I live in Scotland so I'm all right then. Oh, wait a minute (or should that be a week)...

    An up-vote to SuperNintendoChalmers for the link which tells me that I've been pwned (and a tip of the hat to Troy Hunt for maintaining that site).

  14. John Lilburne

    Given the amount of spammer accounts on Google

    5 million probably equates to 50 real users.

  15. Arachnoid

    It would help

    If Google,Yahoo et al didn't actually use the email address as one of the two log in criteria [email/password] This way there would be two unique log in options as well as the two factor authentication.

  16. JLAKER

    I was in Scotland when I registered, does that mean I'm ok because the breach only affects people in England? I'm in England now but I might go to Wales later today...will I be safe there? I'm confused.

  17. Marvin O'Gravel Balloon Face

    Ah, that will explain the gmail I got from my mate who was stuck in Cyprus with no money, bank cards or passport...

  18. Cipher
    WTF?

    Odd...

    on a throwaway account I use for registrations, haveI sez 1 owned, Isleaked sez no owned.

    Are they using the same database?

  19. Financegozu

    This cannot have happened

    Only iCloud is vulnerable

  20. Vociferous

    Methinks Google is downplaying things a bit.

    According to the Microsoft site haveibeenpwned.com four of my seven gmail accounts have been compromized. One of the accounts is ancient, but three were created in 2014. Google did force me to change password on one of those accounts a couple of months ago.

    Interestingly, none of the accounts is listed as compromized by isleaked.com.

    1. Pascal Monett Silver badge
      Alert

      You might want to recheck that isleaked.com site

      I went to that site and, when it showed up in Russian by default, I did a whois check on it.

      Google returned this link, which states that the site was registered 2 days before the leak was published.

      I wouldn't go there if I were you.

    2. Selden

      Re: Methinks Google is downplaying things a bit.

      @Vociferous : haveibeenpwned.com is NOT a Microsoft site.

  21. Caesarius
    Stop

    "up to three years old"

    "Our analysis reveals that there is substantial evidence that this data is up to three years old and primarily [linked to the] geographical catchment area [of] the United States and England, but [we've] also confirmed [a] dozen Danish Gmail accounts"

    If the data is 3 years old then they haven't got my recent password. If the data is 0 years old then they might have it. If the data is up to 3 years old then they might have it. So to my mind that makes the "3 years" entirely irrelevant.

    "the data is probably three years old" FYTY?

    (Like the retail outlet headline "up to 50% off", which actually includes the case where there is no reduction at all, and so the claim is annoyingly content-free.)

  22. Anonymous Coward
    Anonymous Coward

    I had my gmail account stolen !

    I've had it for nearly 10 years and when I came to use it, a photo of somebody else was smiling at me when I tried to log in.

    All the security details had changed. No meaningful way to speak to a human at gmail, so no way to get it back !

    So how do you contact gmail to get a fix ?

    Very hacked off !

  23. Stig

    When Americans - I mean USA-ians - say 'England' - do they mean UK?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like