So a big panic hit the Internet a couple of days ago when it was alleged that Google had leaked 5 Million e-mail account passwords – and these had been posted on a Russian Bitcoin forum.
I was a little sceptical, as Google tends to be pretty secure on that front and they had made no announcement regarding the incident. The news was published on a number of fairly high profile, legitimate news sources as though it was real (TIME, CBS, FastCompany, IBT, The Independent & many more).
Some may say the whole thing was just an elaborate e-mail farming excercise as many articles cited a domain IsLeaked.com which registered a mere 2 days before the huge password leak..by Russians.
Plenty of room for conspiracy theories here.
In some cases, those alleged breaches are not quite what they seem to be. Case in point is a report first posted to a Russian Bitcoin forum site that information on nearly 5 million Google account holders was breached this week.
Any alleged attack against Google is noteworthy, and 5 million accounts is also a significant number. That said, the bigger questions that always should be asked in any breach coverage center on what was stolen and whether there is any real impact.
As a professional, facts are my currency, and speculation is just a cheap narcotic. So when I initially saw the first Google account breach reports, I held off on writing until the facts were revealed.
The facts are that Google itself was not breached and 5 million users are not actually at risk.
In a blog post Sept. 10, Google claimed that less than 2 percent of the username/password credentials in the Russian breach list were actually valid.
To add further fuel to the fire, Google noted that its automated anti-hijacking systems would limit the risk on the 2 percent that might be affected. Additionally, Google is now telling those people in the 2 percent list that they are required to reset their passwords.
Google did release something later about this ‘compromise’ and stated that less than 2% of the leaked e-mail addresses were valid credentials and all those that might have been effected have had their passwords forcibly reset.
The Google announcement is here: Cleaning up after password dumps
They also stated categorically that the leaked account details were not due to a compromise of any Google systems.
So to recap, it wasn’t 5 million “real” passwords, and of those that might be real, there is little user risk. It also was not actually an attack directly against Google’s infrastructure either.
“It’s important to note that, in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems,” Google stated. “Often, these credentials are obtained through a combination of other sources.”
So what does that mean? Simply put, Google account information is also used on non-Google systems and also might be stored outside of Google’s control or influence. An attacker can get a user account by a breach of a third-party system or more likely via a phishing attack against a user.
In this case, Google has made it painfully obvious that the risk is low with this credentials breach. Aside from the fact that only 2 percent of the account information might be valid, Google’s efforts to protect its users and its systems from attacks are exemplary. Alerting users to the potential of a highjack and requiring a new password is an excellent best practice.
The use of other security tools and techniques to detect anomalous account behavior is also admirable. As I’ve written in the case of the Apple iCloud security incident, it is incumbent on Internet vendors and online services to proactively defend users against fraud, and that’s precisely what Google is doing.
So basically yah, this is a whole lot of non-news about something that didn’t really happen. Either way, keep your accounts safe and set up 2FA please.
But it does show once again, Google is up on the security of its userbase and it intends to keep everyone safe. Because they need your data, that’s how they make money.