5 Million Gmail Passwords Leaked, Google Says No Evidence Of Compromise

kierny writes After first appearing on multiple Russian cybercrime boards, a list of 5 million Google account usernames — which of course double as email usernames — are circulating via file-sharing sites. Experts say the information most likely didn't result from a hack of any given site, including Google, but was rather amassed over time, likely via a number of hacks of smaller sites, as well as via malware infections. Numerous commenters who have found their email addresses included in the list of exposed credentials say the included password appears to date from at least three years ago, if not longer. That means anyone who's changed their Google/Gmail password in the last three years is likely safe from account takeover.

OK

[YrWrstNtmr]

So where do we go to find the actual "list of exposed credentials" ?

Re:OK

[Anonymous Coward]

https://mega.co.nz/#!6hYWVIyI!vrrDuv3s3ZbMiobnv0sYFdIOsudQ44-oDobLInq00ls

just the usernames, not the passwords.

Re:

[Anonymous Coward]

some of the accounts are also on this 2012 list:

https://dazzlepod.com/digitalplayground/?page=50

i searched for a few, found some, couldn't find others - so this new list may be a compilation of other lists, or a continuation of the old one.

Re:

[Mashiki]

This account(and the publicly facing email address) is on the list new list, but not the old one. Except that the password listed is over 2 years old, feel free to look. So it makes me wonder where the pass was pulled from, if someone wants to try and figure it out that should be interesting. The only other places I've logged in from with this email address were in Florida via Brighthouse , and Nothern Alberta via bell wifi(rockethub). I have three other email addresses that I use, but none of them are

Re:

[Mashiki]

Oh and I should toss in that this email address is/was only used on three sites. DSLReports, PWE(since moved to another account roughly 1 year ago), and Slashdot. But none of these sites used the same password as the email address.

Re:

[stonecutter2]

Thanks, thought the exact same thing...

Re:OK

[TACD]

The list of email addresses (without passwords) is at https://mega.co.nz/#!rgFDDRSD!... [mega.co.nz]

Re:

[DoofusOfDeath]

Thanks. Just discovered that I'm on it. Damn.

Re:

[PIBM]

I'm on it, but I need to know which password was hacked. That would provide me a lot of info on what happened.

Re:

[peragrin]

Next question is what about those with two factor authentication?

My pass word is the same from both before and after but I have two factor authentication token as well

Re:

[MrHanky]

Unless you've used the same password for gmail as for whichever site has been hacked, it shouldn't matter. I found my gmail address, but the password had never been used at Google. The problem is if you've reused the password on a bunch of sites where your email address can be used as login.

Re:

[coinreturn]

Unless you've used the same password for gmail as for whichever site has been hacked, it shouldn't matter. I found my gmail address, but the password had never been used at Google. The problem is if you've reused the password on a bunch of sites where your email address can be used as login.

Same here. My email address, but a password I use for throwaway sites that I don't care about accessing.

Re:

[2fuf]

hunter7

Re:

[PIBM]

Really ?? I don't even remember using that password somewhere, and I confirm I never used that on well known and large site.

Thank you BTW

Re:

[alexhs]

FYI, 2fuf was joking [bash.org].

Re:

[PIBM]

indeed, the 7 caught me offguard. I've managed to grab it and the password I had used match web based games I didn't care about (required signup for flash tests). Still nothing related to gmail directly.

Re:

[Anonymous Coward]

Did you check that they have her gmail password, or was it grabbed somewhere else?

Top thread on Reddit's discussion [reddit.com] talks about that - seems like passwords in there come from all kinds of places, like Dreamhost, Blizzard, Filedropper, ...

Re:

[Anonymous Coward]

you mean hunter2 [bash.org] ?

all i can see is *s

Re:

[Anonymous Coward]

One of my accounts is listed, but the password is really old (6+ years) according to the hint from https://isleaked.com/en.php

Re:

[Mike Frett]

My account is leaked also but I was one of the first to get a Gmail account and it's an extremely common word. People use mine as their Spam email and it's a big hassle. The password listed for mine is nowhere close to any of mine. So whoever is using my email are the ones in trouble.

Re:

[Anonymous Coward]

My username is tacoman and my password is mrburrito

Can someone tell me if I'm on the list?

Re:OK

[Anonymous Coward]

I'm not sure where the list is available, but you can check if you are on the list here [isleaked.com]

Re: OK

[Anonymous Coward]

With typing skills like that how the fuck do you ever type your password correctly? :)

Re:

[solidraven]

Same story, it's a joke password I've been using for the past 8 years or so for sites I don't trust or throw away accounts.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

This is all bullshit. The list is over 10 years old and less than 2% is even actionable

Re:OK

[Richy_T]

Maybe someone should just do a courtesy mass-mailing based on the list.

Re:

[ShaunC]

Preferably in as few messages with as many envelope recipients as possible. There would be epic fallout from all the Re: Re: REMOVE ME FROM THIS LIST.

Re:

[Tablizer]

Maybe someone should just do a courtesy mass-mailing based on the list.

A Nigerian prince has already completed that task. I just hope he also mails me my loan back.

2 factor auth?

[Anonymous Coward]

Interesting how that seems pretty close to when google enabled the 2 factor auth?

Apple needs to be held accountable...

[frnic]

Their security is deplorable and Apple should be legally responsible for any losses people incur as a result of this!

Re:

[DoktorMidnight]

Their security is deplorable and Apple should be legally responsible for any losses people incur as a result of this!

I'm not sure if that is really funny, really sad, or some kind of crazy, Google astroturf psyop. I'm going to be safe and assume that it is simultaneously all three.

Re:

[Anonymous Coward]

At least you caught the joke. Too bad you took it personally.

Quickly, change the password...

[Anonymous Coward]

From 123456 to abc123. There, I'm safe from Soviet hackers now.

Re:

[webnut77]

I changed mine to hunter2.

It's September, dummy. It should be hunter9.

Just people using same passwords

[blueshift_1]

I'd guess it's just hacks of other sites, filter it on just gmail accounts and hope they used the same password for both.

Really just people trying to ride the coat tails of the fappening. Ermagurd, mad hax!

Just people using same passwords

[Afforess]

I'd guess it's just hacks of other sites, filter it on just gmail accounts and hope they used the same password for both

Really just people trying to ride the coat tails of the fappening. Ermagurd, mad hax!

My email is on the list (afforess@gmail.com, go check!) I use a password for gmail I have never used for any other site. So I don't see how this can be the case. I have 2FA on the account, so not too worried, but still!

Re:

[YttriumOxide]

I'd guess it's just hacks of other sites, filter it on just gmail accounts and hope they used the same password for both

I'm pretty sure that's right. Actually, I'd say I'm around 5 nines certain.

My email is on the list (afforess@gmail.com, go check!) I use a password for gmail I have never used for any other site.

According to the list, the password is a 7 character string, lowercase, moderately common first name starting with c.

Two factor authentication time!

[slk]

Google offers 2FA for free, labled as "2-step authentication". Setup takes about 3 minutes, hassle on known devices is roughly zero, and it makes these attacks irrelevent. Can do SMS, Authenticator app, etc.

Re:

[Ichijo]

Except when your workplace has a policy of deleting cookies daily which makes 2-step authentication a hassle when you have to do it every day.

Re:Two factor authentication time!

[peragrin]

Except google has a policy for that an can give you a one step password for the particular device.

Re:

[DMUTPeregrine]

No, it's a separate password for the same account. You can set it to expire or not, as you choose. Cookies aren't involved.

Re:

[Mike Van Pelt]

Yeah... I tried that. It makes it near impossible to view Youtube videos on my TiVo. The TiVo doesn't stay logged in nor does it remember passwords, so I have to get a new OTP every time I want to view on the TiVo. (Though, now I also have a Chromecast, and I suspect it works more reasonably with 2FA... Time to give it another try, I don't use the TiVo to watch Youtube anymore since I got the Chromecast.)

Re:

[swillden]

You don't log into the Chromecast, so it doesn't have any dependency on authentication.

Re:

[GNious]

Would suggest people also go through and revoke any logins, computers and devices after they set up 2FA - should be right there in the Security tab on Google account settings.

Re:

[swillden]

They offer it without giving Google your phone number or other personal info, or you have to put another personal info egg in the Google basket?

There are several options. One of them is to use SMS or voice as the channel for receiving one-time passwords. For that, you have to provide the phone number they should send the passwords to. Or you can use the Google Authenticator app, which doesn't require providing any information (though it's recommended to provide a phone number as a backup), or you can just get a list of static OTPs to print out and carry around. Most people use that last one as a backup, but I suppose you could use it as your primar

Not Listed

[BlackHawk-666]

Despite having a public gmail account since it was invite only I escaped the list. Password managers FTW!

Re:

[Halifax Samuels]

None of my accounts are listed, and I've had two of them since it was invite-only as well. I also used the same simple password for both of them and dozens of other sites for many years because, honestly, I just don't care that much. Whether you're on the list or not doesn't seem to be related to your password.

Enable///

[Rick Zeman]

...2 factor authentication for your accounts, too. Google makes it easy. [google.com]

Re:

[Charliemopps]

Thanks for the link, that made it easy. I should have done that years ago.

In the USA we pay to receive texts

[tepples]

Cellular subscribers in the United States who do not pay per month for unlimited SMS have to pay for each outgoing and incoming message. So unless I'm severely misunderstanding something, I'd have to pay my cell phone provider 20 cents every time I want to log in to any Google service. Is there something cheaper?

Re:

[Specter]

You can install the Google Authenticator app; it requires no data connection after you set it up.

J

Re:

[tepples]

I assume buy a tablet and install Google Authenticator on the tablet.

Re:

[sh00z]

You can download a list of single-use codes you can use instead of SMS. Of course, if you print the list and put it in your wallet, there's a path to compromise the security.

Probably a few sites were hacked

[stewsters]

With a gmail account anything after a plus is ignored. You can then use username+serviceName@gmail.com to denote what service you are on. It looks like some people did this, and seems like these credentials are stolen from a few different sites. Here are the most popular after plus endings from the 5 mill:

xtube : 176
daz : 133
1 : 125
filedropper : 88
daz3d : 66
eharmony : 64
friendster : 63
savage : 62
2 : 60
spam : 57
bioware : 54
savage2 : 52
bryce : 51
hon : 40
freebiejeebies : 32
3 : 28
eh : 27
4 : 25
policeauctions : 19
bravenet : 18
filesavr : 18

Re:Probably a few sites were hacked

[brunes69]

Yep. In fact the more you look at the data the more it looks like Google was not hacked at all and these accounts were collected from elsewhere, then perhaps verified against Google.

Re:Probably a few sites were hacked

[malakai]

Can confirm. the password it had for one on my Gmail account e-mails was a password I use on 'throw away' websites. Think phpBB and the like. I never used this password on my GMail, or any account I cared about.

I checked two other g-mail accounts that I primarily use for work, and neither were on the list.

I'm going to say some of these are just harvested from old phpBB exploits. Sometimes I would use my throw away password for things I considered useless, like twitter and the like. So I guess it's possible it came from a bigger leak, that was deemed unworthy by me for enhanced security.

Also, many of my primary passwords have the website initials built into it. Like "sdblahblahblah" for slashdot. The password in the leak was not from any of my main primary sites ( amex, citibank, google, /., networking/dns sites, AWS, amazon, etc...).

Re:

[ChronoReverse]

I agree, just did the check and the first two characters were "pa" which is obviously the throwaway "password" I used before.


I have 2FA enabled so my actual gmail account is pretty safe I'd think.

Re:

[Yaur]

The password they have for me was from the linkedin breach.

Re:

[YttriumOxide]

where are you finding the passwords? Im on the list and use KeePass for just about everything so should be able to nail down exactly where they got my password from.

The list with passwords was easily available for a while (and still is if you hunt around a bit - I found it without too much trouble).

Search engine

[DrYak]

(and still is if you hunt around a bit - I found it without too much trouble).

What search engine were you using to locate it?
I'm sure it won't show up on google's search results.

(Or other pointers on how to get the list with passwords ?)

Reddit deletion

[DrYak]

Reddit comments are being actively deleted.
Luckily, Google hasn't blacklisted the piratebay cache, yet.

checking.... Nope. None of my password is in there.
Will pass the file around for my friends to check theirs.

Rejected from Piratebay

[DrYak]

Can you please upload the list to piratebay? I cant find it anywhere..!!

It was alread *rejected* from pirate bay.
Look around for "10 millions emails yandex mailru gmail w passwords 2014".
It might still be in some cache (that's where I found it).
And it starts poping up around on other tracker.

Scary-ish

[Torp]

I was on this list and i had an unique (for me) password for the google account. I've had the account since you had to beg for an invite to get in as well.

Re:

[Torp]

... but I'm guilty of not ever changing the password after i created the account :)
Until today, of course.

Re:

[steelfood]

So are you saying your unique password was revealed along with your username? For curiosity sake, was it a strong password, or something an enhanced dictionary could attack?

Re:

[Torp]

I was wrong. This is NOT a leak of passwords from google accounts.
I checked my account on isleaked.com and it was NOT the google password, but the easily guessed password i use for accounts that I don't care about.
If your google password is unique, you're safe. If you reused it on low security sites... not so much.

How do we actually know?

[Sebastopol]

I could harvest 5m gmail names from google searches, and then publish them with bogus passwords and create panic. Is there some statistic that says how many of these were real passwords? Because wouldn't it be illegal to use them (accessing another person's account w/o their permission is a crime in the USA).

Seems like it would be easy to manufacture a lot of FUD by making these claims w/o really having any passwords at all, and no one could verify it?

Re:

[YttriumOxide]

I could harvest 5m gmail names from google searches, and then publish them with bogus passwords and create panic. Is there some statistic that says how many of these were real passwords?

Statistics, probably not. But to confirm they're not just all made up, I checked a few of the ones that were obviously a password for another site (one of the '+' addresses) and after 4 tries, found one that worked (on the 'other site', not on gmail). So they're definitely not just 'made up' passwords; they just aren't necessarily a password that was ever actually used for the email address they're associated to.

Re:

[i ate my neighbour]

A sketchy service called isleaked.com allows you to query. I queried my email, and it replied "the first two characters of your password is ...." which was correct. However, it was not my gmail password, but a password I use in my unimportant accounts.

Re:

[kat_skan]

Even if it's a hoax the sensible response doesn't really change. Change your password, enable 2FA and don't worry too much about whether it was FUD.

Re:

[Nyder]

I could harvest 5m gmail names from google searches, and then publish them with bogus passwords and create panic. Is there some statistic that says how many of these were real passwords? Because wouldn't it be illegal to use them (accessing another person's account w/o their permission is a crime in the USA).

Seems like it would be easy to manufacture a lot of FUD by making these claims w/o really having any passwords at all, and no one could verify it?

They had my email and an old password I used on it.

So while I am no one important, the list seems legit.

Check you address here

[bigjocker]

Use this page to check if your address is in the leaked database. I'm using the list (without passwords) that was published here in slashdot in the above comments. I'm not capturing the email addresses of the people using the tool:

https://bigjocker.com/qd/googl... [bigjocker.com]

If you don't trust me (and I don't blame you), just download the file posted a few comments above this one and grep yourself:

ngranek@trantor:~/Downloads$ grep bigjocker google_5000000.txt
ngranek@trantor:~/Downloads$

Re:

[John Bokma]

Heh, my wife was asking about such a site, and like I explained to her: you really think that someone who has collected all this data is just handing it out for free? No, it's IMO just a small, probably outdated sample. Moreover, I wouldn't trust any site that allows me to check if I am on the list. This just confirms that such accounts are active or at least that someone cares enough about it to check it.

Re:

[emotionus]

Wild cards work? partial matches?

Maybe a fraction of the actual list (and outdated)

[John Bokma]

I guess this is just a small fraction of the actual list, because such a list has a value and why just handing it out for free? Releasing a fraction and seeing people going upset because they are on the list, and it's actually their password, however, increases the value of the actual list. Even more so if the actual list is more recent.

Am I the only one?

[Russ1642]

A total surprise to me that my email address was on the list, and they had the current password. I changed that immediately and activated 2-factor authentication. So the next question is how did they get it? It's a unique string of random crap so it had to be intercepted rather than brute forced either with a malicious android app or, more likely, I signed in on a compromized computer. Anyone have any ideas?

Re:

[Ronin Developer]

Could easily have been malware, phishing site, or a compromised system.

If you still use the account, make sure you unlink everything from it, change your password and then enabled TFA.

Re:

[mr_mischief]

Did you by any chance use the same unique string of random crap at some third-party site where you used your email address as a verification email?

Re:

[swillden]

Most likely, you used the same password for another web site, with your gmail address as your contact e-mail.

Re:

[Russ1642]

Most likely the two symbols that were shown on the isleaked website were also in a different password of mine and they never really had the proper Gmail password. I have no way of verifying this. However, I can say for certain that I've never used my Gmail password anywhere but Gmail. I have unique passwords for every single account I have on all websites. I use UPM as a password manager on my Android phone with a ridiculously long master password. I doubt it got hacked.

Re:

[swillden]

I see Google has their spin doctors deployed...

I see you haven't followed this story at all. There is zero evidence that any of this data came from Google, and plenty of evidence that it did not. For that matter, look at some of the /. comments. Several posters found their e-mail addresses and passwords... and they were not passwords used on gmail.

Re:

[celticmonkey]

I was surprised to see my email address on the list. Looking through my password manager, it looks like they have a simple password I stupidly re-used on eharmony and gigasize more than 3 years ago. (In fairness to those sites, I probably used the password elsewhere too, so they aren't necessarily the leak source.) I just hope a Russian hacker doesn't steal my soul mate on eharmony. (Unlikely?)

Re:

[strikethree]

Hm. None of the addresses that belong to me or anyone that I correspond with is in that list. If it was from a breach at Google, then they were stopped before they were able to access the entire list that Google has. My main is account has been around since gmail existed and it is not compromised.

Did you use shared passwords with ANY other site? That is the only method I can think of for them to have a list like this. I hope you were able to regain exclusive control over your account before anything bad hap

Re:

[PhilHibbs]

Where did you get the password list from?

Gee and me with all that Cialis spam

[gelfling]

Oh no, what will I do?

I think passwords were collected from elsewhere

[gaspyy]

I found one of my Gmail accounts in the list - the one I usually use when asked on forums and such. Using https://isleaked.com/results/e... [isleaked.com] I saw that the password leaked is not the actual gmail password, but the password I use when signing up on non-important sites, including Slashdot.

I'm quite sure the email+password was collected from another site, can't be sure which one.

Does Google store passwords?

[PhilHibbs]

I'm guessing that if this really is a list of Google accounts and passwords, that they got it from somewhere other than Google. As far as I know, Google doesn't store passwords, they store salted hashes of passwords.

Re:

[Anonymous Coward]

It's funny that you say "true capitalism" is a fairy tale... and yet communism (I'm assuming you mean the "true" kind) is your goto.

Maybe somebody should mod you funny.

Re:

[ledow]

Same for me, same for my brother.

Someone's just collected 5m GMail addresses from somewhere.

To be honest, it's more likely that my address has been sold by a Google employee - there's no way I should be getting as much spam as I do to an address that's completely unadvertised and which is only the end-point of various domain forwarding.

Password compromise too? Just sounds like someone's collated all the compromised data from other websites etc. they could find, rather than hacked into GMail somehow.

Re:

[jcoy42]

...sez the guy whose homepage is facebook.

Re:

[WillAffleckUW]

My point stands

Re:

[WillAffleckUW]

What's a pocket?

This is the 21st Century.

We all wear form fitting science uniforms and have jetpacks and flying cars.

Re:

[peragrin]

Who needs a pocket my computer displays on my contacts and blast audio through a bone phone.

Re:

[Triklyn]

hah, the optic nerve is SO last gen. my I.queue directly stimulates my visual and aural cortices.

Re:

[disambiguated]

How quaint. When I need to know something, my computer travels back in time and alters history so that I always knew it.

Re:

[bingoUV]

Ahh, you guys are funny. Time travelling from 18th century, but pretending to be time travelling from 23rd century. Go and check actual 21st century and you will weep.

Re:

[bigfinger76]

Has this resulted in one breached account? For all we know, this is just a list of email addresses. Need more evidence, like boobs.

Re:

[Noah Haders]

did the icloud buzziness result in one breached account? no evidence of that. a lot of the nudie selfies were taken on sammy phones.

Re:

[bigfinger76]

I neither know or care. It's just a bit early to try to stir the pudding here.