Wednesday, September 10, 2014

A List of 5 Million 'Gmail Passwords' Leaked, But There's No Need to Panic

It might be time to change some of your passwords — again. But if you've used a Gmail password that's unique from other accounts, you might not have to worry.

A list of almost 5 million combinations of Gmail addresses and passwords was posted online on Tuesday. But the passwords seem to be old, and they don't appear to actually belong to Gmail accounts. Instead, it seems that many of the passwords were taken from websites where users used their Gmail addresses to register, according to some of the leak's victims as well as security experts.

For example, someone might have signed up for a website with the username "" and the password "mypassword." The list exposed this week makes it look like "mypassword" is the password for the Gmail account itself, but the user's actual Gmail password might be totally different.

The list was posted on a Russian Bitcoin forum on Wednesday, and US media started reporting on it overnight.

We can't confirm the authenticity of all the email addresses on the list, but a Mashable employee, Evan Engel, saw that his old Gmail password, which he hasn't used in years, is part of the leak.

A Google spokesman told Mashable that the company has "no evidence that our systems have been compromised," and security experts seem to agree that the passwords are either old Gmail passwords obtained through phishing, or are passwords that were actually used on other sites.

Matteo Flora, a computer security expert, reviewed the dumped file and found that around 60 email addresses were in his address book. After he alerted those people, 30 of them told him that the password either was never used for their Gmail accounts or was very old, Flora told Mashable.

Chester Wisniewski, a senior security adviser for security firm Sophos, told Mashable that he expects many of these accounts not to be valid. "There is no honor among thieves as they say, and often stunts like this are released as a sad attempt at gaining credibility among other criminals," he said.

Several Reddit users also confirmed that they found their email addresses in the leak, but that the associated password has never been their Gmail password.

"The password that I generally use for other services is shown in this list and not my gmail password," wrote a Redditor nicknamed InternetOfficer. "This proves that the hackers hacked into some other service where gmail address (or other email addresses) are used and got the password of that service not gmail password."

"The password it shows (or at least the first two characters) is NOT from a password I've ever used on Gmail," wrote another Redditor, "but it does match a password I've used on bullsh*t I absolutely don't care about."

Some hints in the dump seem to point to several different sites that could have been compromised.

Both Flora and some Reddit users have noticed that some email addresses are followed by a "+" sign and the name of a website. (If you add "+" and a word to your Gmail address, like "," emails to that address can automatically be archived in a folder with the word you choose.) This might indicate which websites have been compromised. Some of the sites that have been identified this way include friendster, filedropper, xtube and freebiejeebies.

Even if this dump is simply a collection of old passwords belonging to minor sites, the issue is always the same: password reuse. If you tend to reuse your passwords, check this website to see if your Gmail address is on the list.

If it is, change your passwords, and choose long ones that combine special characters and numbers. Password managers can help you keep track of your accounts.

"And stop being silly and use the same password for everything," Flora said.

Also, as usual, enable two-factor authentication on services that provide it, including Gmail. That way those accounts are more secure, even in the event that someone steals your password.

Oh, and don't freak out.

"Ignore the man behind the curtain, keep your PC up to date, use a strong password and a second factor whenever possible," Wisniewski said. "Keep calm and move along."

(Source: Mashable)


  1. Hi to all, how is the whole thing, I think every one is getting more from this web page, and your views are pleasant designed for new visitors. login

  2. Thanks for taking the time to discuss this, I feel strongly that love and read more on this topic. If possible, such as gain knowledge, would you mind updating your blog with additional information? It is very useful for me. hotmail live login

  3. This is a great inspiring article.I am pretty much pleased with your good work.You put really very helpful information. Keep it up. Keep blogging. Looking to reading your next post. grammarly premium trial

  4. Real 1z0-963 Exam Questions Dumps from Guaranteed preparation better than Marks4sure 1z0-963 braindumps.

  5. This is an awesome article a debt of gratitude is in order for sharing this enlightening data. I will visit your site consistently for some most recent post. I will visit your website consistently for Some most recent post. Buy Old Gmail Accounts

  6. If you are looking for the 220-1001 CompTIA A+s and you have short time to prepare the exam choose Exams4sure as your study partner. It will helps you to get the good marks in the exam. Our 220-1001 Braindumps Exam are 100% approved and accurate by the Microsoft Experts. Exams4sure offers 2 types of 220-1001 Practice Guide. 220-1001 PDF and 220-1001 Test Engine. Get your latest 220-1001 Questions Answers file today at:

  7. Please continue this great work and I look forward to more of your awesome blog posts.
    find personal email

  8. I admire this article for the well-researched content and excellent wording. I got so involved in this material that I couldn’t stop reading. I am impressed with your work and skill. Thank you so much. Old Gmail accounts for sale in bulk for business usage

  9. Both of these strategies can assist you reduce your payment. mortgage calculator canada For first payment of lower than 20%, homeowners are required to purchase mortgage default insurance, typically called CMHC insurance. mortgage calculator canada

  10. Best IT certification material provider with thousands of Certification Exams, such as Cisco, CompTIA, Amazon, VMware, CISSP, PMP and more. Our slogan is Pass For Sure!