TORONTO – Gmail users — we have good news and bad news.
The bad news is almost five million Gmail username and password combinations have been dumped online. The good news is a lot of the data appears to be outdated or incorrect.
Hackers posted a database of 4.93 million Google accounts to a Russian-language bitcoin security forum late Tuesday. According to Russian media outlet RIA Novosti, the hackers alleged more than 60 per cent of the information was valid and in use.
But as news spread about the leak, many users reported that the passwords listed in the database were either outdated or were not passwords associated with their Google accounts.
“My accounts were on there but the passwords were old,” Gmail user Mike Bond told Global News.
READ MORE: Is the password really dead? (Hint: Not even close)
Several Reddit users also said they found their email addresses in the database, but confirmed the password listed was never associated with their Google account.
“It claims my email address and login is leaked, but the password it shows (or at least the first two characters) is NOT from a password I’ve ever used on Gmail,” wrote one user.
“It is NOT a password I ever used with Gmail,” said another. “My verdict: This is not a Google leak but a collection of Gmail addresses with passwords from elsewhere…”
Google’s security team released a statement to its blog late Wednesday, undermining the severity of the leak.
“We found that less than 2% of the username and password combinations might have worked,” read the blog post. “We’ve protected the affected accounts and have required those users to reset their passwords.”
Google’s security team reiterated that the leak was not a result of a breach of Google’s systems, adding that often credentials are stolen through a “combination of other sources.”
“For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others. Or attackers can use malware or phishing schemes to capture login credentials,” read the blog.
Danish security company CSIS reported Wednesday that the data is likely up to three years old, which means most have likely changed their passwords since – especially considering Google recommended users change their passwords after the Heartbleed bug.
READ MORE: How to create a more secure password
- Posters promoting ‘Steal From Loblaws Day’ are circulating. How did we get here?
- Video shows Ontario police sharing Trudeau’s location with protester, investigation launched
- Canadian food banks are on the brink: ‘This is not a sustainable situation’
- Solar eclipse eye damage: More than 160 cases reported in Ontario, Quebec
However, as some users pointed out, there are many users who may not change their passwords regularly.
If you are worried about your account, your best bet is to change your password as soon as possible.
Google also has a number of added security features that aim to keep attackers out of your account.
If there is any unusual activity on your account – for example, multiple login attempts, or login attempts from unknown devices – Google will alert the user and allow them to review the activity and change the account password if needed.
It’s also recommended that users enable two-step authentication – where a text message containing a secondary login code is sent to the user’s mobile phone every time they log in.
It’s also important to avoid using the same password across multiple sites – especially when it comes to important things like online banking.
Quick tips for creating a more secure password
Stay away from easy-to-guess passwords like “1,2,3,4″ or “Password” and easy to guess identifiers like your dog’s name.
Passwords that use up to ten upper- and lower-case letters mixed with numbers are proven to be more secure – despite being hard to remember.
One tip is to construct a password from a sentence, mix in a few upper case letters and a number, for example, “There is no place like home,” would become “tiNOplh62.”
Numbers included in a password should never be something easy to guess based on the user. That means your age, the current year, or your address are not good choices. Similarly, the longer the password the better.
Comments