If you’re a Gmail user, you should take preventative measures (change your passwords and enable two-factor authentication) in the wake of a large breach that hit the Internet just hours ago. BreachAlarm has obtained a copy of the leaked data. Containing just under 5 million stolen passwords, primarily associated with Gmail email addresses, this is the fourth largest confirmed breach in our history to date.
The leak by Russian hackers was detected after the data was posted to a freely-accessible Russian Bitcoin forum. Email accounts offered by Russia’s largest search engine, Yandex, were also included in the data spill, although Gmail addresses made up the overwhelming majority.
While the forum moderators hastily censored the file and removed the passwords, there is little doubt that the intervention came too late for quite a few accounts.
Some Gmail users affected by the breach have noticed that a fair chunk of the compromised passwords are up to 5 years old, belong to suspended accounts or are simply no longer valid. However, some users apparently have not changed their passwords all that time, meaning these leaked credentials allow full access. If the hacker’s own words are to be believed, more than 60% of the passwords work and belong to active accounts.
How on Earth did this happen? One clue comes from several affected users who were able to inspect the breach data, and report that the leaked password for their address was not their Gmail password, but was the password for one or more 3rd party sites where they used their Gmail address to sign up. Given this, we believe it’s highly likely that this massive list of login credentials has been collected in an ongoing effort on the part of the hackers (similar to the CyberVor database we reported on last month), rather than a single system compromise. Through phishing—tricking users into filling out a fake login form—and multiple isolated site attacks, the attackers would have been able to build up a database of compromised users.
Both Google and Yandex state that their systems have not been breached.
This isn’t news to take lightly. These days, your email account can be the key to your entire online presence: your Android phone backups and your Google services like Maps, Google+, Docs and Drive. It’s also likely to be the destination for the “forgot my password” links that other services will send you. With access to these, hackers can quite literally know where you live, work and who you talk to, and gain access to just about any online service you use.
There’s an important moral lesson here: this breach is a great demonstration of why your passwords shouldn’t be like your favourite old pair of sneakers. Change them as regularly as you can bear to. We know it’s a pain, but it’s worth it.
Keep an eye on your inbox to see if our Email Watchdog has found you among the victims. If you’re not a subscriber, you can have us monitor one of your addresses for free. Head to our home page to check if you’re affected.