Barely a week goes by without news about a major company's online system's security breached. This week, Google garners the spotlight after nearly five million Gmail passwords were reportedly hacked. Thankfully, it's not actually as bad as it seems.
A user named tvskit posted a list of 4.93 million English, Russian and Spanish Gmail passwords on the Russian Bitcoin security forum BTCsec.com on Tuesday, claiming that he was able to access at least 60 percent of the accounts successfully. But Google and security experts believe most of the passwords, which have already been removed by the forum's administrators, are either old or not related to Gmail at all.
"There is no honor among thieves as they say," says Chester Wisniewski, senior security adviser for Sophos. "And often stunts like this are released as a sad attempt at gaining credibility among other criminals."
Reddit users also found that their Gmail addresses were included in the list but said that the password was not the password they used for their account or was a password used from as far as three years back. They also noticed that some of the Gmail addresses included in the list had a format with the email address followed by a plus (+) sign and the name of a website. For example, one email address looked like this: firstname.lastname@example.org.
This has prompted Wisniewski and other experts to think that the Gmail addresses were the result of phishing and malware hacks done on several different websites where users were prompted to enter their email address and password for those websites. Google appears to confirm this.
"It's important to note that in this case, and in others, the leaked usernames and passwords were not the result of a breach of Google's systems," says the Google Spam & Abuse Team in a blog post. "Often, these credentials are obtained through a combination of other sources. For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others."
All the same, Google recommends its users to take the necessary precautionary measures to keep their accounts safe, including using strong passwords that use a combination of letters, numbers and other symbols, as well as changing passwords periodically. Google also encourages users to turn on two-step verification. This method sends a random security code to a user's smartphones, which he needs to enter for him to access his Gmail account. This makes it virtually impossible for hackers to hack into a Google account as they would need physical access to the user's smartphone to do so.