Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Google Cloud Security

5 Million Gmail Passwords Leaked, Google Says No Evidence Of Compromise 203

kierny writes After first appearing on multiple Russian cybercrime boards, a list of 5 million Google account usernames — which of course double as email usernames — are circulating via file-sharing sites. Experts say the information most likely didn't result from a hack of any given site, including Google, but was rather amassed over time, likely via a number of hacks of smaller sites, as well as via malware infections. Numerous commenters who have found their email addresses included in the list of exposed credentials say the included password appears to date from at least three years ago, if not longer. That means anyone who's changed their Google/Gmail password in the last three years is likely safe from account takeover.
This discussion has been archived. No new comments can be posted.

5 Million Gmail Passwords Leaked, Google Says No Evidence Of Compromise

Comments Filter:
  • OK (Score:5, Interesting)

    by YrWrstNtmr ( 564987 ) on Wednesday September 10, 2014 @01:00PM (#47873763)
    So where do we go to find the actual "list of exposed credentials" ?
    • Re:OK (Score:5, Informative)

      by Anonymous Coward on Wednesday September 10, 2014 @01:09PM (#47873857)

      https://mega.co.nz/#!6hYWVIyI!vrrDuv3s3ZbMiobnv0sYFdIOsudQ44-oDobLInq00ls

      just the usernames, not the passwords.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        some of the accounts are also on this 2012 list:

        https://dazzlepod.com/digitalplayground/?page=50

        i searched for a few, found some, couldn't find others - so this new list may be a compilation of other lists, or a continuation of the old one.

        • by Mashiki ( 184564 )

          This account(and the publicly facing email address) is on the list new list, but not the old one. Except that the password listed is over 2 years old, feel free to look. So it makes me wonder where the pass was pulled from, if someone wants to try and figure it out that should be interesting. The only other places I've logged in from with this email address were in Florida via Brighthouse , and Nothern Alberta via bell wifi(rockethub). I have three other email addresses that I use, but none of them are

          • by Mashiki ( 184564 )

            Oh and I should toss in that this email address is/was only used on three sites. DSLReports, PWE(since moved to another account roughly 1 year ago), and Slashdot. But none of these sites used the same password as the email address.

      • Thanks, thought the exact same thing...
    • Re:OK (Score:5, Informative)

      by TACD ( 514008 ) on Wednesday September 10, 2014 @01:10PM (#47873859) Homepage
      The list of email addresses (without passwords) is at https://mega.co.nz/#!rgFDDRSD!... [mega.co.nz]
      • Thanks. Just discovered that I'm on it. Damn.

        • by PIBM ( 588930 )

          I'm on it, but I need to know which password was hacked. That would provide me a lot of info on what happened.

          • Next question is what about those with two factor authentication?

            My pass word is the same from both before and after but I have two factor authentication token as well

            • by MrHanky ( 141717 )

              Unless you've used the same password for gmail as for whichever site has been hacked, it shouldn't matter. I found my gmail address, but the password had never been used at Google. The problem is if you've reused the password on a bunch of sites where your email address can be used as login.

              • Unless you've used the same password for gmail as for whichever site has been hacked, it shouldn't matter. I found my gmail address, but the password had never been used at Google. The problem is if you've reused the password on a bunch of sites where your email address can be used as login.

                Same here. My email address, but a password I use for throwaway sites that I don't care about accessing.

          • by 2fuf ( 993808 )

            hunter7

            • by PIBM ( 588930 )

              Really ?? I don't even remember using that password somewhere, and I confirm I never used that on well known and large site.

              Thank you BTW

              • by alexhs ( 877055 )

                FYI, 2fuf was joking [bash.org].

                • by PIBM ( 588930 )

                  indeed, the 7 caught me offguard. I've managed to grab it and the password I had used match web based games I didn't care about (required signup for flash tests). Still nothing related to gmail directly.

            • by Anonymous Coward

              you mean hunter2 [bash.org] ?

              all i can see is *s

          • Re: (Score:2, Informative)

            by Anonymous Coward

            One of my accounts is listed, but the password is really old (6+ years) according to the hint from https://isleaked.com/en.php

            • My account is leaked also but I was one of the first to get a Gmail account and it's an extremely common word. People use mine as their Spam email and it's a big hassle. The password listed for mine is nowhere close to any of mine. So whoever is using my email are the ones in trouble.

      • by Anonymous Coward

        My username is tacoman and my password is mrburrito

        Can someone tell me if I'm on the list?

    • Re:OK (Score:5, Informative)

      by Anonymous Coward on Wednesday September 10, 2014 @01:10PM (#47873861)

      I'm not sure where the list is available, but you can check if you are on the list here [isleaked.com]

    • Comment removed based on user account deletion
    • by Anonymous Coward

      This is all bullshit. The list is over 10 years old and less than 2% is even actionable

  • 2 factor auth? (Score:2, Interesting)

    by Anonymous Coward

    Interesting how that seems pretty close to when google enabled the 2 factor auth?

  • by frnic ( 98517 ) on Wednesday September 10, 2014 @01:09PM (#47873851)

    Their security is deplorable and Apple should be legally responsible for any losses people incur as a result of this!

    • Their security is deplorable and Apple should be legally responsible for any losses people incur as a result of this!

      I'm not sure if that is really funny, really sad, or some kind of crazy, Google astroturf psyop. I'm going to be safe and assume that it is simultaneously all three.

  • by Anonymous Coward on Wednesday September 10, 2014 @01:11PM (#47873883)
    From 123456 to abc123. There, I'm safe from Soviet hackers now.
  • I'd guess it's just hacks of other sites, filter it on just gmail accounts and hope they used the same password for both.

    Really just people trying to ride the coat tails of the fappening. Ermagurd, mad hax!

    • I'd guess it's just hacks of other sites, filter it on just gmail accounts and hope they used the same password for both

      Really just people trying to ride the coat tails of the fappening. Ermagurd, mad hax!

      My email is on the list (afforess@gmail.com, go check!) I use a password for gmail I have never used for any other site. So I don't see how this can be the case. I have 2FA on the account, so not too worried, but still!

      • I'd guess it's just hacks of other sites, filter it on just gmail accounts and hope they used the same password for both

        I'm pretty sure that's right. Actually, I'd say I'm around 5 nines certain.

        My email is on the list (afforess@gmail.com, go check!) I use a password for gmail I have never used for any other site.

        According to the list, the password is a 7 character string, lowercase, moderately common first name starting with c.

  • by slk ( 2510 ) on Wednesday September 10, 2014 @01:22PM (#47874019)
    Google offers 2FA for free, labled as "2-step authentication". Setup takes about 3 minutes, hassle on known devices is roughly zero, and it makes these attacks irrelevent. Can do SMS, Authenticator app, etc.
    • by Ichijo ( 607641 )

      Except when your workplace has a policy of deleting cookies daily which makes 2-step authentication a hassle when you have to do it every day.

    • Yeah... I tried that. It makes it near impossible to view Youtube videos on my TiVo. The TiVo doesn't stay logged in nor does it remember passwords, so I have to get a new OTP every time I want to view on the TiVo. (Though, now I also have a Chromecast, and I suspect it works more reasonably with 2FA... Time to give it another try, I don't use the TiVo to watch Youtube anymore since I got the Chromecast.)
    • by GNious ( 953874 )

      Would suggest people also go through and revoke any logins, computers and devices after they set up 2FA - should be right there in the Security tab on Google account settings.

  • Despite having a public gmail account since it was invite only I escaped the list. Password managers FTW!

    • None of my accounts are listed, and I've had two of them since it was invite-only as well. I also used the same simple password for both of them and dozens of other sites for many years because, honestly, I just don't care that much. Whether you're on the list or not doesn't seem to be related to your password.
  • ...2 factor authentication for your accounts, too. Google makes it easy. [google.com]

    • Thanks for the link, that made it easy. I should have done that years ago.

    • Cellular subscribers in the United States who do not pay per month for unlimited SMS have to pay for each outgoing and incoming message. So unless I'm severely misunderstanding something, I'd have to pay my cell phone provider 20 cents every time I want to log in to any Google service. Is there something cheaper?
      • by Specter ( 11099 )

        You can install the Google Authenticator app; it requires no data connection after you set it up.

        J

      • by sh00z ( 206503 )
        You can download a list of single-use codes you can use instead of SMS. Of course, if you print the list and put it in your wallet, there's a path to compromise the security.
  • by stewsters ( 1406737 ) on Wednesday September 10, 2014 @01:42PM (#47874217)
    With a gmail account anything after a plus is ignored. You can then use username+serviceName@gmail.com to denote what service you are on. It looks like some people did this, and seems like these credentials are stolen from a few different sites. Here are the most popular after plus endings from the 5 mill:

    xtube : 176
    daz : 133
    1 : 125
    filedropper : 88
    daz3d : 66
    eharmony : 64
    friendster : 63
    savage : 62
    2 : 60
    spam : 57
    bioware : 54
    savage2 : 52
    bryce : 51
    hon : 40
    freebiejeebies : 32
    3 : 28
    eh : 27
    4 : 25
    policeauctions : 19
    bravenet : 18
    filesavr : 18
    • by brunes69 ( 86786 ) <slashdot@keirsGI ... minus herbivore> on Wednesday September 10, 2014 @01:44PM (#47874235)

      Yep. In fact the more you look at the data the more it looks like Google was not hacked at all and these accounts were collected from elsewhere, then perhaps verified against Google.

      • by malakai ( 136531 ) on Wednesday September 10, 2014 @02:17PM (#47874563) Journal

        Can confirm. the password it had for one on my Gmail account e-mails was a password I use on 'throw away' websites. Think phpBB and the like. I never used this password on my GMail, or any account I cared about.

        I checked two other g-mail accounts that I primarily use for work, and neither were on the list.

        I'm going to say some of these are just harvested from old phpBB exploits. Sometimes I would use my throw away password for things I considered useless, like twitter and the like. So I guess it's possible it came from a bigger leak, that was deemed unworthy by me for enhanced security.

        Also, many of my primary passwords have the website initials built into it. Like "sdblahblahblah" for slashdot. The password in the leak was not from any of my main primary sites ( amex, citibank, google, /., networking/dns sites, AWS, amazon, etc...).

        • I agree, just did the check and the first two characters were "pa" which is obviously the throwaway "password" I used before.


          I have 2FA enabled so my actual gmail account is pretty safe I'd think.
        • by Yaur ( 1069446 )
          The password they have for me was from the linkedin breach.
  • Scary-ish (Score:2, Interesting)

    by Torp ( 199297 )

    I was on this list and i had an unique (for me) password for the google account. I've had the account since you had to beg for an invite to get in as well.

    • by Torp ( 199297 )

      ... but I'm guilty of not ever changing the password after i created the account :)
      Until today, of course.

    • So are you saying your unique password was revealed along with your username? For curiosity sake, was it a strong password, or something an enhanced dictionary could attack?

      • by Torp ( 199297 )

        I was wrong. This is NOT a leak of passwords from google accounts.
        I checked my account on isleaked.com and it was NOT the google password, but the easily guessed password i use for accounts that I don't care about.
        If your google password is unique, you're safe. If you reused it on low security sites... not so much.

  • by Sebastopol ( 189276 ) on Wednesday September 10, 2014 @02:05PM (#47874453) Homepage

    I could harvest 5m gmail names from google searches, and then publish them with bogus passwords and create panic. Is there some statistic that says how many of these were real passwords? Because wouldn't it be illegal to use them (accessing another person's account w/o their permission is a crime in the USA).

    Seems like it would be easy to manufacture a lot of FUD by making these claims w/o really having any passwords at all, and no one could verify it?

    • I could harvest 5m gmail names from google searches, and then publish them with bogus passwords and create panic. Is there some statistic that says how many of these were real passwords?

      Statistics, probably not. But to confirm they're not just all made up, I checked a few of the ones that were obviously a password for another site (one of the '+' addresses) and after 4 tries, found one that worked (on the 'other site', not on gmail). So they're definitely not just 'made up' passwords; they just aren't necessarily a password that was ever actually used for the email address they're associated to.

    • A sketchy service called isleaked.com allows you to query. I queried my email, and it replied "the first two characters of your password is ...." which was correct. However, it was not my gmail password, but a password I use in my unimportant accounts.

    • by kat_skan ( 5219 )

      Even if it's a hoax the sensible response doesn't really change. Change your password, enable 2FA and don't worry too much about whether it was FUD.

    • by Nyder ( 754090 )

      I could harvest 5m gmail names from google searches, and then publish them with bogus passwords and create panic. Is there some statistic that says how many of these were real passwords? Because wouldn't it be illegal to use them (accessing another person's account w/o their permission is a crime in the USA).

      Seems like it would be easy to manufacture a lot of FUD by making these claims w/o really having any passwords at all, and no one could verify it?

      They had my email and an old password I used on it.

      So while I am no one important, the list seems legit.

  • by bigjocker ( 113512 ) * on Wednesday September 10, 2014 @02:08PM (#47874481) Homepage

    Use this page to check if your address is in the leaked database. I'm using the list (without passwords) that was published here in slashdot in the above comments. I'm not capturing the email addresses of the people using the tool:

    https://bigjocker.com/qd/googl... [bigjocker.com]

    If you don't trust me (and I don't blame you), just download the file posted a few comments above this one and grep yourself:

    ngranek@trantor:~/Downloads$ grep bigjocker google_5000000.txt
    ngranek@trantor:~/Downloads$

    • Heh, my wife was asking about such a site, and like I explained to her: you really think that someone who has collected all this data is just handing it out for free? No, it's IMO just a small, probably outdated sample. Moreover, I wouldn't trust any site that allows me to check if I am on the list. This just confirms that such accounts are active or at least that someone cares enough about it to check it.
    • Wild cards work? partial matches?
  • by John Bokma ( 834313 ) on Wednesday September 10, 2014 @02:19PM (#47874577) Homepage
    I guess this is just a small fraction of the actual list, because such a list has a value and why just handing it out for free? Releasing a fraction and seeing people going upset because they are on the list, and it's actually their password, however, increases the value of the actual list. Even more so if the actual list is more recent.
  • Am I the only one? (Score:5, Interesting)

    by Russ1642 ( 1087959 ) on Wednesday September 10, 2014 @02:55PM (#47874875)

    A total surprise to me that my email address was on the list, and they had the current password. I changed that immediately and activated 2-factor authentication. So the next question is how did they get it? It's a unique string of random crap so it had to be intercepted rather than brute forced either with a malicious android app or, more likely, I signed in on a compromized computer. Anyone have any ideas?

    • Could easily have been malware, phishing site, or a compromised system.

      If you still use the account, make sure you unlink everything from it, change your password and then enabled TFA.

    • Did you by any chance use the same unique string of random crap at some third-party site where you used your email address as a verification email?

    • Most likely, you used the same password for another web site, with your gmail address as your contact e-mail.
      • Most likely the two symbols that were shown on the isleaked website were also in a different password of mine and they never really had the proper Gmail password. I have no way of verifying this. However, I can say for certain that I've never used my Gmail password anywhere but Gmail. I have unique passwords for every single account I have on all websites. I use UPM as a password manager on my Android phone with a ridiculously long master password. I doubt it got hacked.

    • I was surprised to see my email address on the list. Looking through my password manager, it looks like they have a simple password I stupidly re-used on eharmony and gigasize more than 3 years ago. (In fairness to those sites, I probably used the password elsewhere too, so they aren't necessarily the leak source.) I just hope a Russian hacker doesn't steal my soul mate on eharmony. (Unlikely?)
    • Hm. None of the addresses that belong to me or anyone that I correspond with is in that list. If it was from a breach at Google, then they were stopped before they were able to access the entire list that Google has. My main is account has been around since gmail existed and it is not compromised.

      Did you use shared passwords with ANY other site? That is the only method I can think of for them to have a list like this. I hope you were able to regain exclusive control over your account before anything bad hap

    • by PhilHibbs ( 4537 )

      Where did you get the password list from?

  • Oh no, what will I do?

  • I found one of my Gmail accounts in the list - the one I usually use when asked on forums and such. Using https://isleaked.com/results/e... [isleaked.com] I saw that the password leaked is not the actual gmail password, but the password I use when signing up on non-important sites, including Slashdot.

    I'm quite sure the email+password was collected from another site, can't be sure which one.

  • I'm guessing that if this really is a list of Google accounts and passwords, that they got it from somewhere other than Google. As far as I know, Google doesn't store passwords, they store salted hashes of passwords.

Staff meeting in the conference room in %d minutes.

Working...