Five million Gmail credentials posted online

[Updated to clarify that the Gmail account passwords exposed were not necessarily those for your Gmail account.]

According to reports that started to appear on Reddit and other forums on September 9, some five million account credentials were published that have a Gmail address as the user name. For example, if you subscribed to a newsletter on the site using as your user name and the password thumbsup then it is is possible this may have been made public. How? Possibly was hacked at some point in the past.

The site where the data was published referred to itself as Bitcoin Security and the language of the site that published the email addresses with matching passwords is Russian.

Some people who reviewed the data said that in most cases, the passwords were five years old and did not allow access to their accounts. However, apparently some were still current and reports of attempts to use the credentials have been seen. The assumption is that this compromised data is a collection of credentials obtained by phishing campaigns or malware attacks over recent years.

A website called appeared during the day purporting to allow people to check if their Gmail address had been compromised. However, as of right now, it does not appear to be functioning correctly and frankly I would not go there. Instead, you can check your email address at this site — Have I been pwned — which is run by Troy Hunt, a trusted Microsoft MVP.

The Russian site CNews was the first to publish a story about the credentials and connected them to other recent leaks such as the one affecting Yandex, a popular search engine in Russia. Later TheDailyDot published a screenshot of leaked credentials belonging to Spanish, English and Russian speakers.

Representatives from Google and Yandex issued assurances that their systems had not been compromised, but as mentioned above, the keys had been stolen by phishing campaigns and unauthorized access to user accounts (in other words, not leaked by the system for which the credentials were created, but by users of those systems).

Obviously, Gmail account credentials themselves are of great value, given that they provide access to so many Google services, such as Google+ and Google Maps. Access to those two services alone could potentially reveal your home address and allow a stranger to see who your friends are. The lesson here is that if you use a Gmail address as a user name at some site or online service, you should NOT use your Gmail password with that. Remember: different passwords for different sites/services.

For safety’s sake, I just went and changed my Gmail password and I suggest you consider doing the same, even though it is a real pain. I already have two-factor authentication enabled on my Google account and recommend you do this for Google and other accounts that support it. Here is a handy list for some popular services that offer 2FA:

If you want to implement two factor authentication for access to your website, there are a number of options available, including ESA which you can learn about here.

I hope this information helps. I also hope we see some arrests of the criminals who keep exposing other people’s private information: doing so is illegal in most countries and a total jerk move wherever you live. (I recently wrote about the need to pressure governments to act against cyber criminals.)

Big hat tip to Sabrina Pagnotta of ESET LATAM office for her early reporting and research on this news.


Author Stephen Cobb, ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.