The Gmail 5 million password hack that (probably) wasn't

happygeek 2 Tallied Votes 563 Views Share

Reports started circulating yesterday that Gmail had been hacked, with some 5 million logins at risk. This follows the publication, on Tuesday, of a plain text list of Gmail usernames and passwords on a Russian Bitcoin forum. Within 24 hours the 'hack hysteria' had taken hold and people were being advised to check if their accounts had been compromised, change their passwords etc. Trouble is, there appears to be absolutely no actual evidence that Gmail has been hacked at all, and plenty to suggest that this credentials list is just another composite; constructed with passwords taken from lists already published concerning other breaches. The Gmail connection is, at the most, that people whose credentials were exposed at those other sites and services had used a Gmail address to register their accounts.

Having spoken to a number of people who, at first glance, would appear to have fallen victim of the Gmail hack that wasn't, it seems that there are lots of very old passwords in play on that list. What's more, there are lots which were never actually associated with a Gmail account at all. Just to be clear, what I'm saying here is that the list itself seems to consist largely of instances where someone has registered with a service with a username of xxx@gmail.com and a password of yyyzzz and the inference is that yyyzzz is the Gmail account password. This is simply not the case in many instances that I've been made aware of, enough for me to conclude that it's nothing to be overly concerned about.

Sure, if you one of those folk who reuse passwords across sites and services, and your Gmail account password is not unique, then you should be concerned. But then you should have been concerned long before this list appeared, not least as what I've seen so far would lead me to believe that much of the data listed comes from old data breaches and phishing attacks.

So why bother publishing this list? Good question, and as it's not being sold (5 million live Gmail logins would certainly carry a substantial dark market value) the probable answer is for kudos.

My advice would be to ignore the media arm waving which will quickly die down as the media realises it has been running around with a non-story. However, do not ignore the warning that the non-story brings with it: if this had been for real you could have been in big trouble. Don't reuse passwords (use something like the LastPass security audit to check for such usage) and change your Gmail password now anyway, it's not a bad idea to do this every now and then. While you are at it, think about implementing two-factor authentication as well; not just for Gmail but for every service you use that offers it. This makes it much harder for anyone to actually use login data should the service get breached.

If you are concerned that your Gmail address may be on the published list, along with passwords associated with it, then you can check by using the free security checker from KnowEm which is trusted and simply queries a plain text database and does not record/log your email address (or any personally identifiable information) about the query.

e8ce6bdf9136f60010b7d6a0501d2d20

Slavi 94 Master Poster Featured Poster

I actually read an article about this yesterday and literally couldn't believe it, thanks for clearing. Also having Gmail account or any google account infact and not having 2step would be really self stupid, as they have their 2step not only by Google auth app, not only by sending an sms if you don't have a phone but also you could even generate backup codes .. Basically, theres plenty of options provided to have a secure access to your account(s). Although, I wonder what if you have no backup codes and your phone breaks, so you can't connect to the app? Are you out of your account for good?

rubberman 1,355 Nearly a Posting Virtuoso Featured Poster

Google analyzed the list and found that less than 2% of the entries were legitmate current gmail credentials (that's still about 100,000), and have informed those account that they need to update their password on next login. Here is the relevant article: http://arstechnica.com/security/2014/09/google-no-compromise-likely-massive-phishing-database/

Mansoor Ahmed_1 0 Newbie Poster

I have also listened that news. It is really bad. I condemn this act. By the thanks for sharing that info to check whether my account is hacked or no. thanks

andyrooheavens 0 Newbie Poster

Our company published an internal article about this and before rushing off to change my password again i found this very informative answer.
Thanks for the info!

mike_2000_17 2,669 21st Century Viking Team Colleague Featured Poster

Thanks for clearing this up.

This sounded very fishy to me because as far as I know (but I could be wrong?) "secure" services like Gmail do not store plaintext passwords anywhere, but only the salted hashes corresponding to them (i.e., they can validate the password you entered, but they never actually know what that password is, only what cryptographic hash it produces). So, even if someone hacked into Gmail, they could not obtain such a list of username + password pairs. Only the less secure services (and hopefully, less critical services) tend to store such plaintext lists on their servers.

Am I wrong? Assuming someone had unfettered access to Gmail's servers, could he produce such a list? Or something of similar power.

gerbil 216 Industrious Poster

I suspect that a lot of security scare stories will circulate, they make easy copy, sell a few pages.
I remember the exploding butane lighter stories, those deadly things with the power of 3 sticks of dynamite.... anyway, in the mining game we use lots of explosives but of course there are masses of regulations covering the use and transport of them, so we gaily switched to tossing cartons of Bic lighters down the holes. And life was easier.

Slavi 94 Master Poster Featured Poster

@Mike, I don't think any passwords at all are stored in plaintext. In general back in the days they'd use a hash function such as MD5 to produce a certain length output characters that in no way can reveal your password. The problem in those such as MD5 was that if 2 users have the same password, it will give the same hashes. Do you see why is this a vulnerability? An intruder can create hashes for a password dictonary, and then just check those hashes with obtained password hashes and figure out what was the actual password .. For example Click Here you can enter a hashed word and literally immediately you'll be able to find out what the word actually was, as crackstation has a HUGE amount of stored hashes where they just perform hash to hash match. However, currently with the salting it seems more secure. I am not sure myself, whether it's been compromised in any way yet but indeed it is a good solution. As for those who are not sure what that is, a random workd called "salt" is added to your password, in which case even if 2 users have the same passwords, due to randomness in salts, the produced hash will be different and unless you know what the "salt" was, I don't see how it would be possible to find the password(Hash functions are 1 way, cannot reverse it from hash to plain text password)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.