On Tuesday evening, an archive containing close to 5 million Gmail addresses and passwords was posted on a Russian Bitcoin forum.
"We can't confirm that it is indeed as much as 60 percent, but a great amount of the leaked data is legitimate," said Chief technology officer of Danish security company CSIS Security Group, Pete Kruse. "We believe the data doesn't originate from Google directly. Instead it's likely it comes from various sources that have been compromised." Google confirmed Kruse's theory in a blog post on Wednesday, saying that the posted list is a "credential dump." The Google Spam & Abuse Team wrote, "It's important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems." Instead, this list was compiled from sites where users used their Gmail addresses to register but likely used a different password than the one they use for their Gmail account or old Gmail passwords obtained via phishing, explained security experts.
Many believe that several of these accounts may not even be valid. "There is no honor among thieves as they say," said Chester Wisniewski, a senior security adviser at Sophos, "and often stunts like this are released as a sad attempt at gaining credibility among other criminals." Several victims of this leak took to Reddit to say that the data is outdated or that the associated password listed has never been their Gmail password. Less than 2 percent of the 5 million accounts "might have worked" on Gmail but Google reassures it users that its "automated anti-hijacking systems would have blocked many of those login attempts." All affected accounts have been protected and account holders have been notified about the hack and will be prompted to reset their passwords before logging in, said Google in its blog post on the archive.
Photo: © Creative Commons - Flickr: FixtheFocus.