Latest Hacking Scare Exaggerated, Says Google
By Christine Kern, contributing writer
Dump of emails and passwords provides reminder that online security is essential
Reports earlier this month of millions of Gmail addresses and passwords being leaked had users of the popular email Web app understandably alarmed — but Google says the danger has been greatly exaggerated.
The early reports suggested that a leaked database containing 4,929,090 Gmail email addresses and related passwords was dumped on a Russian Bitcoin Security Forum.
On September 9, user tvskit from Russian Bitcoin security forum BTCSec.com, first reported the dump of the 28.7 MB file containing more than 4.92 million of Gmail accounts and passwords, as well as several thousands of credentials from Russia's largest email service Yandex. According to the user, 60 percent of these credentials are valid. Since then, a forum administrator purged the passwords from it.
A study showed that the compromised accounts mostly belonged to Russian, English, and Spanish-speaking users of the Google email service, reported Russian media outlet CNews.
Gmail credentials give access not only to the email account, but they also give access to other Google services such as cloud document storage Google Drive and social network Google+.
The alleged hack raised concern among many constituencies when the report broke. But now it seems that the incident has been overblown, according to Google.
In a blog post, Google stated, “We found that less than 2 percent of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords.”
The post noted that “in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems. Often, these credentials are obtained through a combination of other sources. For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others. Or attackers can use malware or phishing schemes to capture login credentials.”
The post also explained that the “dump” of emails and passwords wasn't from any kind of leak in Gmail itself, but was likely harvested from “other sources” over time — smaller hacked sites, for instance, or malware on users’ own computers. Since many people reuse emails and passwords on other sites, such lists can be used by hackers to gain unauthorized access. Google has already alerted those who were affected, locking down accounts and requiring a password change.
Of course, the moral of the story here is better safe than sorry. Regular password changes and anti-virus and malware software are good prevention.