What you need to know about the Gmail password compromise

Five million hacked passwords dumped on Russian cybercrime forums

There's no need to panic about the nearly five million compromised Gmail passwords that appeared in a Russian Bitcoin security forum this week, according to Google.

Fewer than 2% of the compromised username and password combinations work, Google's spam and abuse team said in a blog post late yesterday. They also say Gmail's automated anti-hijacking systems would block many potential login attempts.

"We've protected the affected accounts and have required those users to reset their passwords," team members wrote in the blog post. "One of the unfortunate realities of the Internet today is a phenomenon known in security circles as "credential dumps" -- the posting of lists of usernames and passwords on the Web. We're always monitoring for these dumps so we can respond quickly to protect our users."

Gmail is Google's free, cloud-based email service that is integrated with Google Docs.

Google responded this week to reports that hackers had gained access to the credentials of five million Gmail users. User name and password combinations appeared on Russian cybercrime forums.

Peter Kruse, head of the eCrime unit at CSIS Security Group in Copenhagen, said Wednesday that most of the nearly five million stolen Gmail passwords are about three years old, though many are still legitimate and functioning.

He said CSIS experts suspect several hackers worked together, possibly using an endpoint compromise.

Google was quick to note that its systems had not been hacked.

"It's important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems," Google's spam and abuse team wrote. "Often, these credentials are obtained through a combination of other sources."

John Shier, a senior security advisor with U.K.-based security company, Sophos, said some Gmail users have reported that their usernames and passwords were part of the dump, lending credence to claim that these are legitimate Gmail credentials. He, too, doubts followed a hack into Google's systems.

Instead, the compromise likely stems from people being lax in their use of unique, strong passwords.

"Let's say, you want to create a new account on Reddit," he explained. "It will ask you for a user name and very often that user name is your email address. And then you use the same password. Very often people use their Gmail address as their user name for a variety of different sites -- just to identify themselves."

Google's team has the same theory.

"If you reuse the same username and password across Websites, and one of those Websites gets hacked, your credentials could be used to log into the others," they noted. "Or attackers can use malware or phishing schemes to capture login credentials."

Shier pointed out that if hackers get usernames and passwords that people use on multiple sites, they could gain access to various aspects of a user's life. "If you use the same password for Facebook and your banking account, that could just lead to trouble," he said. "They could lock you out of your own account or they could steal your identity."

What should Gmail users do now?

Security experts generally agree that this would be a good time for users to change Gmail passwords and to use strong passwords (that means upper and lower case letters, numbers and punctuation marks). And don't use the same passwords for every Website and application. Two-step authentication, if it's an option, also adds an extra layer of security.

Google also advised people to update their recovery options so the company can reach them by phone or email if they're locked out of their accounts. Gmail users can go to this page for a list of Google's security controls.

"Don't panic," said Shier. "If you change your passwords and make sure your passwords are complex and you don't reuse them, you should be in good shape."

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionCSISGooglesecurityCSIS Security GroupCybercrime & Hacking

More about FacebookGoogleSophos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sharon Gaudin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts