The account details of 5 million Gmail users have been ‘dumped’ online, but Google denies it was hacked
Google has denied that its systems were breached after the account details of more than 4.9 million Google accounts were leaked to a number of Russian forums.
The denial came after the appearance of a large text file on the Bitcoin Security board on Tuesday by a user known as “tvskit”.
That user claimed that more than 60 percent of the passwords were valid in the 50MB file. However, Google has denied this as well.
In a blog posting on the matter, it said that less than 2 percent of the username and password combinations might have worked. “Our automated anti-hijacking systems would have blocked many of those login attempts,” wrote Google. “We’ve protected the affected accounts and have required those users to reset their passwords.”
So how did the account details appear online? Well, it wasn’t from a hack or breach of Google’s systems it seems.
“It’s important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems,” said Google. “Often, these credentials are obtained through a combination of other sources.”
“For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others,” said Google. “Or attackers can use malware or phishing schemes to capture login credentials.”
It seems that the leaked data was at least three years old, after CSIS researchers analysed the data and concluded that it is up to three years old based on correlations with past leaks.
“We can’t confirm that it is indeed as much as 60 percent, but a great amount of the leaked data is legitimate,” Peter Kruse, CTO at CSIS Security Group, a Danish security company, was quoted as saying by PC World.
“We believe the data doesn’t originate from Google directly,” Kruse reportedly said. “Instead it’s likely it comes from various sources that have been compromised.”
Google sought to reassure Gmail users, by pointing to the fact that accounts are constantly monitored, and if sees unusual account activity, it will prevent sign-in attempts from unfamiliar locations and devices.
Google also recommended that people should use a strong password unique to Google. It also said people should consider 2-step verification, which adds an extra layer of security to the account.
This sentiment was echoed by security experts.
“While it does seem likely that the logins have been rolled up from older phishing campaigns, it is a timely reminder to ensure everybody is using strong, unique passwords for all of their web services and making use of 2 factor authentication whenever possible,” said Chris Boyd, an Intelligence Analyst at Malwarebytes.
“Many service providers deploy automated hijack detection services, but these aren’t foolproof and we need to do everything we can to ensure we’re working with these systems and not against them,” said Boyd. “Knowing the telltale signs of a phishing page and locking down our accounts as best we can is a good place to start.”
Last month, Mozilla admitted a serious “disclosure” of developer details, including their passwords.
Mozilla said at the time that a failing data sanitization process resulted in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server
Think you know all about Google? Try our quiz!