Google DID NOT Leak 5 Million E-mail Account Passwords

Keep on Guard!


So a big panic hit the Internet a couple of days ago when it was alleged that Google had leaked 5 Million e-mail account passwords – and these had been posted on a Russian Bitcoin forum.

I was a little sceptical, as Google tends to be pretty secure on that front and they had made no announcement regarding the incident. The news was published on a number of fairly high profile, legitimate news sources as though it was real (TIME, CBS, FastCompany, IBT, The Independent & many more).

Google Password Leak

Some may say the whole thing was just an elaborate e-mail farming excercise as many articles cited a domain IsLeaked.com which registered a mere 2 days before the huge password leak..by Russians.

Plenty of room for conspiracy theories here.

In some cases, those alleged breaches are not quite what they seem to be. Case in point is a report first posted to a Russian Bitcoin forum site that information on nearly 5 million Google account holders was breached this week.

Any alleged attack against Google is noteworthy, and 5 million accounts is also a significant number. That said, the bigger questions that always should be asked in any breach coverage center on what was stolen and whether there is any real impact.

As a professional, facts are my currency, and speculation is just a cheap narcotic. So when I initially saw the first Google account breach reports, I held off on writing until the facts were revealed.

The facts are that Google itself was not breached and 5 million users are not actually at risk.

In a blog post Sept. 10, Google claimed that less than 2 percent of the username/password credentials in the Russian breach list were actually valid.

To add further fuel to the fire, Google noted that its automated anti-hijacking systems would limit the risk on the 2 percent that might be affected. Additionally, Google is now telling those people in the 2 percent list that they are required to reset their passwords.


Google did release something later about this ‘compromise’ and stated that less than 2% of the leaked e-mail addresses were valid credentials and all those that might have been effected have had their passwords forcibly reset.

The Google announcement is here: Cleaning up after password dumps

They also stated categorically that the leaked account details were not due to a compromise of any Google systems.

So to recap, it wasn’t 5 million “real” passwords, and of those that might be real, there is little user risk. It also was not actually an attack directly against Google’s infrastructure either.

“It’s important to note that, in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems,” Google stated. “Often, these credentials are obtained through a combination of other sources.”

So what does that mean? Simply put, Google account information is also used on non-Google systems and also might be stored outside of Google’s control or influence. An attacker can get a user account by a breach of a third-party system or more likely via a phishing attack against a user.

In this case, Google has made it painfully obvious that the risk is low with this credentials breach. Aside from the fact that only 2 percent of the account information might be valid, Google’s efforts to protect its users and its systems from attacks are exemplary. Alerting users to the potential of a highjack and requiring a new password is an excellent best practice.

The use of other security tools and techniques to detect anomalous account behavior is also admirable. As I’ve written in the case of the Apple iCloud security incident, it is incumbent on Internet vendors and online services to proactively defend users against fraud, and that’s precisely what Google is doing.

So basically yah, this is a whole lot of non-news about something that didn’t really happen. Either way, keep your accounts safe and set up 2FA please.

But it does show once again, Google is up on the security of its userbase and it intends to keep everyone safe. Because they need your data, that’s how they make money.

Source: eWeek

Posted in: Password Cracking, Privacy

,


Latest Posts:


SQLiv - SQL Injection Dork Scanning Tool SQLiv – SQL Injection Dork Scanning Tool
SQLiv is a Python-based massive SQL Injection dork scanning tool which uses Google, Bing or Yahoo for targetted, multiple-domain or reverse domain scans.
OSSIM Download - Open Source SIEM Tools & Software OSSIM Download – Open Source SIEM Tools & Software
OSSIM is a popular Open Source SIEM or Security Information and Event Management (SIEM) product, providing event collection, normalization and correlation.
What You Need To Know About KRACK WPA2 Wi-Fi Attack What You Need To Know About KRACK WPA2 Wi-Fi Attack
The Internet has been blowing up in the past week about the KRACK WPA2 attack that is extremely widespread and is a flaw in the Wi-Fi standard itself.
Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.


2 Responses to Google DID NOT Leak 5 Million E-mail Account Passwords

  1. ben September 15, 2014 at 5:12 am #

    i think its odd to claim that we are all safe as… my account seems to have been breached and though my gmail was using another password now… it didnt help. i am on the list. google didnt alert me. my imdb password was using said older password and they emailed me as my password had been changed… not by me. my steam codes have been redeemed on humble (and not by my steam account)…. playing catch up and if my account wasnt leaked wtf is happening! Why didmt google tell me…

    • Darknet September 15, 2014 at 12:58 pm #

      It’s most likely your passwords were compromised via another method, malware or similar. Especially if you save your passwords in your browser, it’s very easy for a small piece of software to hijack those passwords.