Google DID NOT Leak 5 Million E-mail Account Passwords

Use Netsparker


So a big panic hit the Internet a couple of days ago when it was alleged that Google had leaked 5 Million e-mail account passwords – and these had been posted on a Russian Bitcoin forum.

I was a little sceptical, as Google tends to be pretty secure on that front and they had made no announcement regarding the incident. The news was published on a number of fairly high profile, legitimate news sources as though it was real (TIME, CBS, FastCompany, IBT, The Independent & many more).

Google Password Leak

Some may say the whole thing was just an elaborate e-mail farming excercise as many articles cited a domain IsLeaked.com which registered a mere 2 days before the huge password leak..by Russians.

Plenty of room for conspiracy theories here.

In some cases, those alleged breaches are not quite what they seem to be. Case in point is a report first posted to a Russian Bitcoin forum site that information on nearly 5 million Google account holders was breached this week.

Any alleged attack against Google is noteworthy, and 5 million accounts is also a significant number. That said, the bigger questions that always should be asked in any breach coverage center on what was stolen and whether there is any real impact.

As a professional, facts are my currency, and speculation is just a cheap narcotic. So when I initially saw the first Google account breach reports, I held off on writing until the facts were revealed.

The facts are that Google itself was not breached and 5 million users are not actually at risk.

In a blog post Sept. 10, Google claimed that less than 2 percent of the username/password credentials in the Russian breach list were actually valid.

To add further fuel to the fire, Google noted that its automated anti-hijacking systems would limit the risk on the 2 percent that might be affected. Additionally, Google is now telling those people in the 2 percent list that they are required to reset their passwords.


Google did release something later about this ‘compromise’ and stated that less than 2% of the leaked e-mail addresses were valid credentials and all those that might have been effected have had their passwords forcibly reset.

The Google announcement is here: Cleaning up after password dumps

They also stated categorically that the leaked account details were not due to a compromise of any Google systems.

So to recap, it wasn’t 5 million “real” passwords, and of those that might be real, there is little user risk. It also was not actually an attack directly against Google’s infrastructure either.

“It’s important to note that, in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems,” Google stated. “Often, these credentials are obtained through a combination of other sources.”

So what does that mean? Simply put, Google account information is also used on non-Google systems and also might be stored outside of Google’s control or influence. An attacker can get a user account by a breach of a third-party system or more likely via a phishing attack against a user.

In this case, Google has made it painfully obvious that the risk is low with this credentials breach. Aside from the fact that only 2 percent of the account information might be valid, Google’s efforts to protect its users and its systems from attacks are exemplary. Alerting users to the potential of a highjack and requiring a new password is an excellent best practice.

The use of other security tools and techniques to detect anomalous account behavior is also admirable. As I’ve written in the case of the Apple iCloud security incident, it is incumbent on Internet vendors and online services to proactively defend users against fraud, and that’s precisely what Google is doing.

So basically yah, this is a whole lot of non-news about something that didn’t really happen. Either way, keep your accounts safe and set up 2FA please.

But it does show once again, Google is up on the security of its userbase and it intends to keep everyone safe. Because they need your data, that’s how they make money.

Source: eWeek

Posted in: Password Cracking, Privacy

,


Latest Posts:


Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.
Acunetix Vulnerability Scanner For Linux Now Available Acunetix Vulnerability Scanner For Linux Now Available
Acunetix Vulnerability Scanner For Linux is now available, now you get all of the functionality of Acunetix, with all of the dependability of Linux.
Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.


2 Responses to Google DID NOT Leak 5 Million E-mail Account Passwords

  1. ben September 15, 2014 at 5:12 am #

    i think its odd to claim that we are all safe as… my account seems to have been breached and though my gmail was using another password now… it didnt help. i am on the list. google didnt alert me. my imdb password was using said older password and they emailed me as my password had been changed… not by me. my steam codes have been redeemed on humble (and not by my steam account)…. playing catch up and if my account wasnt leaked wtf is happening! Why didmt google tell me…

    • Darknet September 15, 2014 at 12:58 pm #

      It’s most likely your passwords were compromised via another method, malware or similar. Especially if you save your passwords in your browser, it’s very easy for a small piece of software to hijack those passwords.