eLearnSecurity Blog

5 Million Gmail Usernames and Passwords Leaked Online

5 million Gmail username and password combinations were leaked in an online Russian forum recently and Google is advising its users to update their passwords in order to protect their accounts. It was later revealed that these information appears to be outdated, and some passwords were more than 3 years old. Also less than 2% of the 5 million combinations might have worked. 100,000 accounts is still a huge number but Google stated in a blogpost that they have secured the affected emails. They have also required the users to reset their passwords.

The tech giant company notes that the leaked username and passwords were not caused by a breach in Google systems. The accounts were taken from a number of sources such as when users have the same credentials across different websites. When one of the accounts get hacked, the details may be used to log into other websites. Other methods of obtaining the accounts were caused by malware or phishing.

DO NOT Type Your Email  Address in 3rd-Party Sites

google breach 5 million

Secure your Gmail account.

Some third-party websites have reported the leak and advised their readers to enter their emails to verify if their Gmail accounts were affected – we strongly recommend you DO NOT enter your information there!

“Avoid typing your email address in any website that you don’t know or trust.” Says Armando Romeo, eLearnSecurity Founder and CEO. “Go straight to your Google email, change your password and check your Google account Security settings for login attempts that look suspicious. This is the safest way to check if your account has been breached.”

These types of pages may be another medium for hackers to collect your data. Google has released a response anyway so be careful and only check information from official sources.

Secure Your Emails

Email accounts are critical single point of failures nowadays. By having your email address accessed by a third party, you are also exposing all your digital life: almost all of the services we use everyday rely upon your email to recover or reset your password. Using a unique complex password plus 2-factor authentication for your email is the first step for towards a secure digital life.

Google assures that they have dealt with this security issue and recommends using two-factor authentication and avoid using the same passwords in different online accounts.

Activate Two-Factor Authentication

“Companies that have websites asking clients to sign up for an account in their database should enforce the use of complex passwords and should provide a way to use some method of 2-factor authentication.” Armando adds. “Two factor authentication is a must-have for any sensitive account such as email accounts, cloud storage accounts and so on.

It can cut the chances for unauthorized access to zero. Moreover companies should never store users’ passwords in cleartext, they should salt and hash them in a protected database. Finally they should ensure that authentication page is protected from brute force attacks and of course all other modern web application attacks that we cover in our courses.

Last tip: Use keepass for your passwords. It’s easy, free and creates strong passwords that you don’t have to remember.”


armando romeo eLearnSecurity

Armando Romeo is the founder and CEO of eLearnSecurity. Prior to founding eLearnSecurity he has spent 5 years in web application security research with hundreds of vulnerability advisories released. Armando currently leads the R&D team and inspires new projects and new training activities.

LinkedIn: https://www.linkedin.com/in/armandoromeo
Twitter: https://twitter.com/HackersCenter

Tags: , ,

4 Comments

  • Peter says:

    I don’t think these are actually gmail username and passwords. I strongly suspect they are credenials from other breaches amalgamated into 1 list.

    The reason I say this is that my details were amongst those showing up in the lists but the password has not been used for numerous years on gmail. It has however been used on other sites.

    • Edcel Suyo says:

      Yes, these accounts were a combination of usernames and passwords from different sources compiled into one list and some were associated with Gmail. The problem is when we use the same password for all our other online accounts as this grants easy access to hackers when we don’t set up security checks ourselves. Have you set up 2-factor authentication already?

      • Peter says:

        Yes I have had 2 factor authentication setup for quite a while now. In all honesty I no longer have any idea what my passwords are as I use systems such as lastpass and a yubikey.

Leave a Reply

Your email address will not be published.

Go to top of page