Ten years ago, Google launched gmail. [icopyright one button toolbar]
Two years ago, gmail became the world’s largest email service.
Today there are more than 425 million monthly users … and we learned that as many as 5 million accounts were leaked on a Russian website (along with passwords that may or may not be associated with the account).
That’s about 1% of Google’s publicly announced accounts.
And according to Google, less than 2% of that 1% were email/password combinations that might have let someone log in to someone else’s Google account:
We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords.
Google said that there was no breach of its systems. So how would the bad guys get their mitts on such a mass of credentials?
Folks use their gmail accounts when setting up new online accounts. There’s a semi-regular release of information about data breaches, often with the email accounts used to set up those accounts. (Remember to use a different password from the one associated with the email account.)
#Gmail #leak of 5 million accounts confirmed legit. They likely originates from various sources. Most passwords more than 3 years old.
— peterkruse (@peterkruse) September 10, 2014
From Will Oremus at Slate:
The most likely hypothesis I’ve heard is that they’re actually passwords cobbled together from all sorts of hacked sites across the Web over the years. Perhaps some industrious hacker assembled such a master list and then filtered it down to a list of only those in which the username happened to be a Gmail address. This would fit with the news that hackers have recently leaked similar lists for users of the Russian email services Yandex and Mail.Ru. I wouldn’t be surprised if we soon see a list of stolen passwords that correspond only to Yahoo Mail accounts, or to Hotmail accounts.
Remember, your Google account is the key for YouTube, gmail and G+.
How to protect yourself
You already know that you shouldn’t use the same password for multiple accounts. Today’s news is yet another reminder of that truth.
But rather than not doing something, here’s something you can and should do: invoke two-factor (or two-step) authentication.
Now.
Your identity will be better protected by implementing two-factor authentication than by simply changing your password.
Here’s how Google implements two factor authentication:
- You log in to gmail as usual.
- Google asks you to input a series of numbers, a verification code, that it has texted to your cellphone.
- Successfully pass those two steps and you have access to your Google account.
This means that you’re pretty safe so long as you don’t also lose your cellphone.
And lest you start thinking about the hassle of verification when you’re using your own laptop, stop: you can tell Google to remember a specific piece of hardware, which means password alone unlocks that browser.
Worried about not having your phone or not having access to cellular data? Then print or download one-time use backup codes or use the Google Authenticator app for iOS, Android and Blackberry phones.
Take headlines and tweets with a grain of salt
Assuming that Google is being truthful, this was a Dump of info. Not a Hack of 5 million gmail accounts.
Use Google’s Account Checkup to see if anyone else has logged into your Google account recently. Check those applications that you’ve authorized to access your account while you’re at it.
Then go check Facebook and Twitter, too.
(Snigger: the most popular mobile device used to read gmail? The iPhone.)
:: Logo via Flickr, CC.
:: Follow me on Twitter
:: More at WiredPen: a data dump, not a hack
Known for gnawing at complex questions like a terrier with a bone. Digital evangelist, writer, teacher. Transplanted Southerner; teach newbies to ride motorcycles! @kegill, wiredpen.com