A list of nearly five million Gmail login credentials was posted on a Russian forum earlier this week. Initial reports led to the speculation that Google itself had been hacked. The good news is that doesn’t appear to be the case, the bad news is that the list is real, and your account might be on it.
The leaked list contains millions of account names that have been collected from third party websites that either use Google account integration, or from accounts that used Gmail as their usernames. The list appears to have been collected over a long period of time, which has led many security experts to believe that the majority of the credentials are out of date.
So what does this mean for you? When it comes to account security, it is better to err on the side of caution. Google stated in a blog post late Wednesday that “less than 2% of the username and password combinations might have worked,” however, given the size of the leak, that is still a considerable risk. Users who haven’t changed their password in a few months, or that use the same username and password combination on multiple sites, are at the most risk from this leak.
If you believe that your account could have been compromised (or even if you don’t, and you want to be safe), change your Gmail password to something completely different. Gmail also offers 2-step verification to protect user accounts. 2-step verification requires a user to enter a verification code the first time they sign in to their account from a new device. This means that even if someone attained your full username and password, they would still be unable to access your information.
If nothing else, this credential leak should serve as a reminder to follow proper account safety precautions. Change your account passwords frequently, the more often the better. Never use the same password across multiple websites or programs. Finally, consider adding 2-step verification to your most important accounts. Short of the physical theft of your devices, 2-step verification will make it nearly impossible for cybercriminals to gain access to your accounts.
– Richard Keene
IT Computer Support of New York
Webmaster and Lead Designer
