Last week, a list of almost 5 million Gmail addresses and passwords were leaked online via a Russian Bitcoin forum.
Users were of course initially alarmed however according to Google, the danger has been greatly exaggerated. In what is know as a ‘credential dump’, explained by Google as the posting of lists of usernames and passwords on the web, this particular list has been found to be made up of passwords predominantly 3 years old or more.
In most cases, the password and email address combination would not have worked.
Google has stated in a blog post that they “found less than 2% of the username and password combinations might have worked” of the 5 million posted online and their “automated anti-hijacking systems would have blocked many of those login attempts”.
The Company also highlighted that they have protected the affected accounts and notified the users to reset their passwords to ensure their accounts are again secure.
What Really Happened?
While initial reports suggested that Gmail had been ‘hacked’, that is not quite the case. The leaked usernames and passwords were not acquired as a result of a breach of the Google systems and were more likely to be obtained through a combination of sources.
In this case, passwords may have been stolen from smaller websites infected by Malware or Phising schemes to steal login information.
For example, if you re-use the same username and password across multiple websites and one of those websites is targeted by hackers, your personal login credentials could be used to gain access to other websites.
It is also quite common for hackers to ‘repost’ information which has been released in previous credential dumps. In this instance, the hackers may have used previous dumps to compile a list containing only Gmail accounts which may provide an explanation as to why a large majority of the password were not current.
What Are The Key Lessons Here?
Password re-use. It is becoming increasingly important to ensure that you use unique passwords every time you register on a new website. If you tend to use the same password to register on websites as your email login password, you are practically handing your personal details to hackers on a silver platter!
If you currently use the same usernames and passwords across multiple websites, it is important you set time aside to change them to be unique.
When creating new passwords, try to make them quite long using a combination of special characters and numbers which makes them more difficult to guess. There are quite a number of secure online password managers to assist you in keeping track of your passwords.
Also, where two-factor authentication services are available – use them. This provides a second safety net against hackers accessing your accounts, even if they steal your password.