As many as five million Gmail user IDs and password combos have been reportedly leaked and posted to a Russian Bitcoin forum. The story is still developing—and Google has yet to make an official statement on the report.
According to Freedom Hacker, a .txt file of Gmail usernames, primarily from Russian users, has been made public on the Bitcoin Security Forum (the link is now not working)—and Reddit subreddit called netsec is now the home of a link that shows the lifted email names and passwords. While much of the Reddit information appears to be old, at least 60% of the compromised accounts are said to be active, according to reports.
The event is illustrative of follow-on dangers as well. Scenting an obvious opportunity, several malicious phishing sites have appeared, offering to check whether someone’s email is secure. This is believed to be, of course, a ploy to pick up additional username/password credentials. Users should instead simply change their passwords (including for other services where the same credentials are used), and enable two-factor authentication.
No one knows yet who’s behind this, how big the leak actually is or whether Google’s servers were compromised. It’s entirely possible that the information was phished or gleaned from third-party websites—and it could even be recycled information from previous leaks.
“Catalogues of previously leaked credentials serve as a database for password crackers,” explained Yiannis Chrysanthou, security researcher in KPMG’s cybersecurity team, in an emailed comment. “This then makes future hacks even easier and quicker, with many passwords cracked in zero time. Password cracking research is moving towards intelligent, efficient and content-aware attack techniques designed to crack the bulk of passwords fast. Every large scale credential leak makes cracking passwords easier for the next one, and organizations adding password complexity to their policies only slightly delays this process instead of stopping it.”
He also stressed the multifactor aspect. “The alternative is to use multi factor authentication, as it improves security by combining multiple forms of identification data,” he said. “Passwords on their own are just one authentication factor because they rely on ‘something the user knows’. By adding an additional factor such as a smartcard (something a user has) or a fingerprint (something the user is), credential theft and impersonation becomes harder. Multi-factor authentication will block traditional attacks relying on guessing or stealing a user’s password because the password itself will no longer be sufficient. Of course this extra security comes with increased investment but the improved customer protection makes it viable and valuable.”