Google says 5m Gmail password dump wasn’t because it was hacked

In a quick response to a leaked list of millions of Gmail credentials, Google has clarified it wasn’t breached and that only two percent of username and password combinations might have worked.

News spread on Wednesday of a file published on a Russian Bitcoin forum containing nearly five million username and password combinations, which mostly consisted of Gmail users, but also Yahoo and Russia’s According to Troy Hunt, Australian security researcher and operator of compromised password checker,, the file contained 123,000 email addresses and passwords.

Initial responses to the leaked file on Reddit suggested some of the credentials could have been old, meaning username and password combinations in the file were no longer valid leaving little impact to users on the list; however security experts that have parsed the file believe that while the account credentials were acquired over several years, many of them remain current.

Late Wednesday, Google’s Spam and Abuse team issued a statement denying the credentials in the file were compromised as a result of a breach of its systems, pointing instead to “other sources”, such as people using the same password across other sites which may have been breached, as well as credential stealing malware and phishing.

“It’s important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems. Often, these credentials are obtained through a combination of other sources,” said Google.

The company also said that the vast majority of credentials couldn’t be used to gain entry to Gmail accounts.

“We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords,” said Google.

Still, two percent of five million amounts to 100,000 accounts with credentials now in the public domain.  

Similar to Apple’s response following last week’s Celebgate iCloud leaked photo scandal, Google advised users to activate two-factor authentication in addition to its other account recovery options. 

Following the breach of celebrities’ iCloud accounts, Apple CEO Tim Cook promised to “broaden” its use of two-factor authentication in iCloud in addition to sending email and push notification alerts to users when an account’s password is changed, as well as when a new device is used to restore or log into an iCloud account.

While Apple did enable two-factor authentication in iCloud,  a weakness spotted by researchers last year was that it didn’t enable the additional security for iCloud backups, meaning that if an attacker had the right username and password, they would be able to download backed up photos. 


Join the CSO newsletter!

Error: Please check your email address.

Tags redditiCloudhackedGoogletwo-factor authentificationTroy Huntsecurity researchersApple CEO Tim CookGmail

More about AppleGoogleNewsYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts