5 Million Google Passwords Leaked

Stolen Credentials Surface on Russian Cybercrime Forums
5 Million Google Passwords Leaked

Google users are being urged to change their passwords in the wake of 5 million stolen credentials surfacing on Russian cybercrime forums.

Electronic-crime specialist Peter Kruse at CSIS Security Group in Copenhagen, Denmark, is one of several security experts who have spotted a leak of data involving millions of credentials from Google and other webmail providers.

What's not yet clear, however, is where the stolen information comes from, or how old it might be. "Some [credentials] have been confirmed to be three years old and some [are] suspected to be even older," Kruse tells Information Security Media Group. As a result, any Google users whose details were compromised might not be at risk of account takeovers, provided they've changed their passwords in the last three years.

The stolen information has surfaced on multiple cybercrime forums. "They were distributed to several Russian forums and then shared through different file-sharing services," Kruse says. "The origin/source of the leak is still unknown. Our best guess is that it comes from various sources."

A Google spokesman says there's no indication that the information in circulation is the result of a hack against its systems. "The security of our users' information is a top priority for us," he says. "We have no evidence that our systems have been compromised, but whenever we become aware that accounts may have been, we take steps to help those users secure their accounts." Notably, the service already alerts users to unusual account activity - including changes in a user's log-in location, or the device they're using - and offers a two-factor authentication system, which would block any unauthorized log-in attempts using stolen credentials.

Multiple individuals whose Google account usernames - which double as Gmail e-mail usernames - appear in the data dump have reported that the leaked passwords date from some time ago. "It has my address in there, but with a password I haven't used in 7 or 8 years," says one commenter in a related Reddit thread.

A related 109MB text file is circulating on the Internet that lists the nearly 5 million Google usernames - and thus Gmail addresses - affected, although it redacts the stolen passwords. Reportedly, some dumps of the stolen data that include both the usernames and passwords are also now in circulation, beyond the cybercrime forums on which they first appeared.

Data Leak: Huge

The trove of about 5 million leaked Google account credentials is a significant data breach, says Morten Kjaersgaard, CEO of endpoint security vendor Heimdal Security, which is owned by CSIS Security Group.

"Normally, you don't think 5 million is that much, because you hear 5 million here, and 5 million there - but that's a lot of data shifting around in hacker communities," Kjaersgaard says. Furthermore, the stolen Google credentials that have come to light may represent only a fraction of what was stolen. "There could be a lot more than just this 5 million. It could be that this was just a dump that was sold to someone [by the hackers] and placed on a forum, but the actual dump could have been 50 million - who knows?"

Precautions to Take

In the wake of the stolen Google credentials surfacing, Kjaersgaard recommends users "regularly change your passwords - once per month, for example - and use different credentials for every site," so that hackers can't use dumps of stolen data to log into accounts on other sites.

The stolen Google data comes to light in the wake of a high-profile breach of celebrity Apple customers who used its iCloud service to back up their mobile devices.

"Many people expect Google or Apple to take care of you, but they mess up as well," Kjaersgaard says. "People should know that their data will be leaked in some way when they use a digital tool, so they need to take measures into their own hands to keep themselves protected."

Stolen Data: Spot Check

Heimdal Security is one of a number of companies that offer free leaked-credential checks. Using Heimdal's service requires registering for a free "Heimdal PRO license key," which gets tied to an e-mail address. When a check gets run, the service reviews whether this e-mail address has appeared in any of the leaks CSIS has found.

Beyond Heimdal, a Russian-language site, "Is my email leaked?", appears to be tracking the same stolen credentials. The site says it's found stolen passwords tied to 4.6 million addresses from Russian webmail provider Mail.ru; more than 1.2 million passwords from Yandex, which runs Russia's biggest online search engine; as well as 5 million Google accounts.

The Russian-language site also offers a service that allows users to input their e-mail address and see if it's part of the stolen data that's been recovered, and promises: "We don't collect your e-mails nor access logs."

But Kruse at CSIS Security cautions against using any service that hasn't been verified. "I would only trust services that I know, and I'm not familiar with that site," he says.

Indeed, little is known about that site, or who's behind it. According to the site's domain registrar listing, the site is hosted by Gandi.net, and the URL was first registered Sept. 8, 2014, by "Egor Buslanov" in Paris. There was no immediate response to a request for more information sent to the contact e-mail address listed for the domain.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network