Another credential scare has turned up online, this time for one of the world’s largest free email services. The emails and passwords of nearly 4.66 million Gmail users have turned up on a Russian Bitcoin forum, traced backed to English, Russian and Spanish users of the service. It’s from where or how the list was collected, but it’s said that many of the logins are outdated.
News of the list was first reported by Russian news outlet CNews, which states that 4.93 million addresses and passwords were posted to the forum in plain text. The posting follows another recent posting that listed 4.66 million logins for Mail.ru accounts and another that had 1.26 million credentials for Yandex. Several thousand logins for Yandex are also included in the Gmail posting.
A representative for Google in Russia told CNews that the company understood what happening in this case, but urged users to use strong passwords and two-step authentication. A representative in the United States told PC World something similar in regard to passwords, but mentioned that the company has “no evidence that [Google’s] systems have been compromised.” The representative added that Google takes steps to help secure accounts when news comes they’ve been compromised.
It’s likely that the list of Gmail accounts is actually a collection that has been built up over time, much like the 1.2 billion unique credentials that a Russian hacking cell collected according to an August report. Booth Google Russia and Yandex told CNews that it was likely from data collected from infected computers. The party responsible for the post, going by the user name “tvskit,” states that 60 percent of the logins are valid.
The list has since been removed from the Bitcoin forum, but analysts believe the information in the credential list is outdated. Peter Kruse of CSIS Security Group told PC World that based on the data and “correlations with past leaks” the information could be up to three years old. It lends to the theory that Google itself wasn’t targeted, but rather multiple sites that use Gmail addresses for logins.
Those curious if their login was captured on the list can check Isleaked.com to see if it turns up. However, the site isn’t an official channel, so entering in any information is done at the user’s risk. With the number of accounts, even if most of the information is outdated, it may be a good time to change Gmail passwords and enable two-step authentication as a precaution.
