5 million leaked Gmail passwords sounds pretty scary. But was it really?

When news reports broke earlier this week about a massive leak of Google account passwords, there must have been plenty of users who took a big gulp.

Would their email address and password be amongst the alleged five million published on a Russian web forum? Was it possible that Google itself had been hacked, spilling secret information about its users?

There was certainly a lot of panic, but the truth was rather less traumatising.

No, Google didn’t suffer a security breach. Instead, it’s most likely that the credentials were amassed by hackers through a combination of keylogging malware, phishing schemes, and the careless reuse of the same passwords across multiple websites.

That last one is particularly important, and rarely understood by the typical computer user.

If you’re in the habit of using the same password on different websites you are playing a dangerous game of Russian Roulette with your online safety. Because if just one of the websites that you use gets hacked, and attackers manage to get their paws on a cracked password database, they will almost certainly try that password against your other online accounts.

Of course, people normally reject the idea of choosing different passwords for every website they use, and roll their eyes at the thought of remembering scores or even hundreds of complicated gobbledygook passwords that are hard for hackers to crack.

The reality is, of course, that simple password management programs can do all the remembering for you - and even suggest much safer passwords than ones the typical computer user is likely to dream up.

Regardless of how the Gmail passwords were accumulated, however, were the credentials dumped on Russian internet forums rapidly exploited en masse by plundering hackers?

Google says they weren’t. Indeed, in a blog post, the search giant’s security team claimed that only 2% of the credentials would have worked, and “an even smaller number used successfully”.

That’s a big difference from claims initially made that 60% of the passwords were legitimate.

Of course, none of this is to say that you can afford to be lackadaisical about your account security.

If you are concerned that your details might be amongst those that were published online, visit a site like haveibeenpwned.com. It’s run by respected security expert Troy Hunt, and can tell you not just if your email address was included in this stash, but in plenty of other password breaches that have occurred in the past.

Furthermore, make a point of ensuring that your online accounts are properly protected from attacks. Not just by choosing safer, harder to crack, unique passwords - but also by enabling features such as Two Factor Authentication (2FA) that will make it much harder for hackers to gain access.

More and more websites these days offer 2FA, just like your online bank probably does.

In Google’s case it’s called 2-step verification, and is explained simply in the following YouTube video.

Take better care of your online accounts, and chances are that you won’t find yourself panicking quite so much next time a scare story about a breach hits the headlines.

This article originally appeared on the Optimal Security blog.

Tags: , ,

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, ,

No comments yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.