Russian hackers leak millions of Gmail IDs and passwords: report

11 Sep 2014

Russian hackers had leaked the email IDs and passwords of 4.93 million Google accounts, reports on early Wednesday said, alarming users of the popular email web service.

A hacker using the name TVskit has posted the account details on bitcoin forum btcsec.com. He added that approximately 60 per cent of the passwords were still active.

Google, however, said the danger has been greatly exaggerated. "We found that less than 2 per cent of the username and password combinations might have worked," the company wrote in a blog post, "and our automated anti-hijacking systems would have blocked many of those login attempts."

While acknowledging the leak, Google said that this was not due to a breach in its own systems.

"Often, these credentials are obtained through a combination of other sources. For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others. Or attackers can use malware or phishing schemes to capture login credentials," it said.

However, according to commentators, people who have used their Gmail password for other accounts, would do well to change their password  www.smh.com.au reported.

Though 5 million combinations of Gmail addresses and passwords had been posted online on Tuesday, the passwords seemed to be old, and they did not appear to actually belong to Gmail accounts. Rather, it seemed that many of the passwords were taken from websites where users used their Gmail addresses to register, according to some of the leak's victims as well as security experts.

For instance, some people might have signed up for a web site with the username "myaddress@gmail.com" and the password "mypassword." The list showed "mypassword" as the password for the Gmail account itself, but the user's actual Gmail password might be totally different.

Though it was not possible to confirm the authenticity of all the email addresses on the list, a Mashable employee, Evan Engel, saw that his old Gmail password, which he had not used in years, was in the list.

Mashable quoted a Google spokesman as saying that the company has "no evidence that our systems have been compromised." Also, there seemed to be agreement on security experts that passwords were either old Gmail passwords obtained through phishing, or were passwords that were actually used on other sites.