Miscellaneous 4 min. read

5 Million Gmail Passwords Leaked: Was Yours One of Them?

Media outlets were abuzz recently with news that millions of Gmail passwords were leaked online. The story is enough to send the 425 million active Gmail users into a tailspin, but it’s important to keep calm and look at the facts. Could your password be one of those compromised? And even if you weren’t a victim this time, how can you protect your email account in the future?

What Actually Happened?

On September 10, the passwords of approximately five million Gmail accounts were posted on a Russian Bitcoin security forum.

Google, which owns the Web-based email service, insists its servers were not breached. Instead, the company believes that the published passwords were collected in earlier cyber-attacks. It’s also been suggested that the details may have been gleaned from other websites that use Gmail addresses for member logins.

In a blog post published after the news broke, Google said it “identified several lists claiming to contain Google and other Internet providers’ credentials.” It added that less than two percent of the username and password combinations may have worked. This makes it sound like a small problem, but given the immense number of active Gmail accounts, it amounts to almost 100,000 people at risk. Google’s automated anti-hijacking systems were expected to block many attempted logins, but that doesn’t mean this breach still can’t do some damage.

How Are People Finding Out Whether They Were Compromised?

At the time of writing, the original thread on the Russian forum was still active with a downloadable link to the complete database. One way to work out whether your account is compromised is to simply download the database and check. Some people who’ve done this have found their Gmail addresses listed with old passwords, which suggests their account is currently safe.

However, others have found their email accounts with existing passwords used not just for Gmail, but for other online accounts. But remember, it’s never advisable to download files from Internet sources you’re not familiar with. If you still want to see it, make sure your antivirus and spyware software is up to date.

Many concerned Gmail users have also rushed to online websites like IsLeaked.com to check whether they were affected. Users simply type their email address into the site to learn whether it’s on the database, and view the first two letters of its associated password.

Concerned citizens have questioned why the site was launched on September 8, two days before the list hit the Bitcoin forum. Its anonymous creator told Forbes it made the site after a leak of Russian mail service Yandex on September 7, then simply added the Gmail details when that story broke. This sounds plausible, but concerns exist that the site may simply serve as a honeypot for collecting email addresses.

Two other (arguably safer) sites to check your account are securityalert.knowem.com and haveibeenpwned.com. The latter of these two sites is run by Troy Hunt, who was named as a Microsoft Most Valuable Professional for web security.

Is There a Safer Way?

Thankfully there are some other, possibly much safer ways to establish whether your Gmail account is at risk. In efforts to protect its users, Google is locking out users with accounts suspected to be compromised in the leak. You’ll know if you’re one of them if you’re asked to change your password before logging back into your account.

However, even if you aren’t asked to change your password, that doesn’t necessarily mean you’re completely in the clear. This Google security page shows recent activity on your Gmail account, including log-in dates, locations, and browsers. If you spot anything that doesn’t match your activity, your account has also been compromised. You should also change your password to protect your account’s integrity.

Protect Your Account from Future Attacks

Whether your account has been compromised in the most recent leak or not, it’s smart to adopt a strong password, and change it regularly to prevent future attacks. It should consist of at least 10 characters, which are a mix of uppercase and lowercase letters, numbers, and other symbols. It should also be unique to your email account. Otherwise, if someone does obtain the password they can infiltrate a variety of online accounts.

Setting up two-factor authentication on your account provides an extra layer of security. If someone attempts to sign on from a new device or location, an automated code is sent to your mobile device to authorize the login. So if hackers get ahold of your password, they can’t infiltrate your account from their device. It’s a really effective way of preventing these attacks, but it won’t protect you from hackers who’ve compromised your device using Trojans or holes in unpatched software. Unfortunately endpoint attacks like these represent the majority of computer crimes. But for what it does protect against, two-factor authentication works very well.
Once you’re accessing your emails, you can’t afford to get complacent. Around 156 million phishing emails are sent every day. These look to collect personal information or infect systems with malicious code. Spam filters catch around 90 percent of phishing emails, which leaves around 16 million sitting in inboxes.

Of these, around 10 percent get people to click through. That amounts to around 800,000 people every day who expose their accounts to hackers. Read up on ways to spot phishing emails so you don’t fall for them.

Don’t Forget About Your Mobile Devices

Many people mistakenly believe that hackers only target desktops and laptops, but in this increasingly mobile world, smartphones and tablets are also under attack. Last year, McAfee collected 2.47 million samples of new mobile malware last year. A whopping 744,000 of these were detected in 2013’s final quarter. These numbers represent a massive 197 percent increase over 2012 figures. It’s clear that hackers have mobile devices firmly in their sights.

Public networks and WiFi hotspots expose mobile users to security threats, but a good virtual private network, or VPN, can help you log in safely. VPNs create an end-to-end encrypted tunnel, which makes your sensitive data unreadable to cyber snoops.

As hackers are always finding more sophisticated ways to infiltrate systems, you should look for a VPN that is updated regularly. For example, at Hotspot Shield, we recently updated our app to support Apple’s new iOS 8 operating system. With our app, you’ll be protected by banking-level HTTPS encryption when accessing an unsecured network, and your IP will be masked at all times when browsing the Web.

Stories like the latest Gmail scare tend to cause public panic, but they can also serve as important reminders to improve online habits.

Image via Flickr by Cairo

Get the latest stories and tips from Hotspot Shield in your inbox