Sign in with
Sign up | Sign in

5 Million Google Passwords Show Up On Russian Forums

By - Source: GovInfoSecurity | B 14 comments

Peter Kruse, the chief technology officer of CSIS Security Group in Copenhagen, Denmark, warns that 5 million Google account credentials surfaced on Tuesday on multiple Russian cybercrime forums. Google patrons are now urged to change their password and activate 2-step authentication. This discovery also includes stolen credentials from other web-based mail providers.

The good news is that the credentials stolen by cyberthieves may be as old as three years, if not older. That means many Google customers may not be at risk if they’ve recently changed their password. Still, the theft is alarming given that many Web surfers don’t update their login credentials on a regular basis.

"The security of our users' information is a top priority for us," a Google spokesperson told Govinfosecurity. "We have no evidence that our systems have been compromised, but whenever we become aware that accounts may have been, we take steps to help those users secure their accounts."

Kruse said that the data was dumped on several Russian cybercrime forums and shared through different peer-to-peer services. The origin of the data dump is unknown, but there’s a good chance the sensitive information was provided by several sources.

“We believe the data doesn’t originate from Google directly,” Kruse told PCWorld in an email. “Instead it’s likely it comes from various sources that have been compromised.”

According to the Govinfosecurity report, there’s also a 109 MB text file in circulation that lists Google user names and email addresses. This file, presumably retrieved by CSIS Security Group, does not contain the passwords, but there are reports of versions that do carry the passwords. This is in addition to the data dump on the Russian cybercriminal forums.

There’s speculation that the stolen 5 million credentials are only the tip of the proverbial iceberg. Morten Kjaersgaard, CEO of Heimdal Security, theorizes that the actual data dump could be substantially larger. There’s also a possibility that the current dump was sold by hackers to someone who then posted the info on a single forum.

As previously stated, Google patrons should change their password on a regular basis. They should also use Google’s two-step authentication process, which includes an authenticator app for Android and Apple’s iOS platform. This method is a bit of a hassle, but it’s better than having the user’s sensitive information floating around the data-hungry cybercriminal community.

Follow Kevin Parrish @exfileme. Follow us @tomshardware, on Facebook and on Google+.

Discuss
Add a comment
Ask a Category Expert
React To This Article

Create a new thread in the News comments forum about this subject

Example: Notebook, Android, SSD hard drive

  • 6 Hide
    The3monitors , September 10, 2014 12:40 PM
    Yet the majority of cell phone services want us to login to google for services. Maybe this might be a bad thing.
  • 0 Hide
    allawash , September 10, 2014 1:20 PM
    A friend of mine just had his gmail account compromised in the last two weeks, was sending out automated phishing/scam emails.
  • 1 Hide
    Emanuel Elmo , September 10, 2014 1:34 PM
    or you can also enable 2-step authorization and be a bit more protected.
  • Add your comment Display all 14 comments.
  • -6 Hide
    alidan , September 10, 2014 2:32 PM
    Quote:
    or you can also enable 2-step authorization and be a bit more protected.

    Quote:
    or you can set up your 2-step authentication and be more protected.


    dont have a phone for that. yay, i need to spend 3000$ (phone+service cost) to not be hacked...
  • -2 Hide
    fkr , September 10, 2014 3:03 PM
    Quote:
    Quote:
    or you can also enable 2-step authorization and be a bit more protected.

    Quote:
    or you can set up your 2-step authentication and be more protected.


    dont have a phone for that. yay, i need to spend 3000$ (phone+service cost) to not be hacked...



    with verizon prepay you can bring your own phone or get a moto g for $100 then service is only $50/month with unlimited talk and text and 1 gig data
  • 4 Hide
    Emanuel Elmo , September 10, 2014 4:44 PM
    Quote:
    Quote:
    or you can also enable 2-step authorization and be a bit more protected.

    Quote:
    or you can set up your 2-step authentication and be more protected.


    dont have a phone for that. yay, i need to spend 3000$ (phone+service cost) to not be hacked...


    bro, you don't need a phone for 2 step authentication. You need to work on your communication skills and study up before you speak, cause you are really sounding so stupid.

  • -1 Hide
    Amdlova , September 10, 2014 8:35 PM
    That sucks... And i thinking i Will have The lost password to my acc ;d dam russians
  • -2 Hide
    alidan , September 10, 2014 8:52 PM
    Quote:
    Quote:
    Quote:
    or you can also enable 2-step authorization and be a bit more protected.

    Quote:
    or you can set up your 2-step authentication and be more protected.


    dont have a phone for that. yay, i need to spend 3000$ (phone+service cost) to not be hacked...


    bro, you don't need a phone for 2 step authentication. You need to work on your communication skills and study up before you speak, cause you are really sounding so stupid.



    except that it requires a phone... explain how you bypass the phone part?

    Quote:
    Quote:
    Quote:
    or you can also enable 2-step authorization and be a bit more protected.

    Quote:
    or you can set up your 2-step authentication and be more protected.


    dont have a phone for that. yay, i need to spend 3000$ (phone+service cost) to not be hacked...



    with verizon prepay you can bring your own phone or get a moto g for $100 then service is only $50/month with unlimited talk and text and 1 gig data


    i figure in the a 2 year plan thats required for it.
    100$ up front, 50 a month how long is the plan required? lets go with the 2 year that i remember, so it comes to 1300$ to enable 2 step for 2 years.
  • 1 Hide
    sjc1017 , September 11, 2014 3:34 AM
    I suddenly had someone resetting my guild wars 2 account yesterday so maybe this is connected to the original theft of GW 2 login details shortly after that launched.
  • 2 Hide
    christinebcw , September 11, 2014 5:22 AM
    Of course, if we only had 14-layer verification, we'd be even more protected - until they took all 14. "Well, with 28-!"
  • 0 Hide
    iogbrideau , September 11, 2014 1:47 PM
    Quote:
    Quote:
    Quote:
    or you can also enable 2-step authorization and be a bit more protected.

    Quote:
    or you can set up your 2-step authentication and be more protected.


    dont have a phone for that. yay, i need to spend 3000$ (phone+service cost) to not be hacked...



    with verizon prepay you can bring your own phone or get a moto g for $100 then service is only $50/month with unlimited talk and text and 1 gig data

    You don't even need that if you want to go with the phone choice. You can get a prepaid phone for $100 with prepaid cards for $10 a month that you can use on unlimited texting.

    Then again you don't need a cellphone at all. If you want you can check the box for voice calling instead of the texting!

    And even then you don't need that either, if you have a tablet or any other Android or IOS device, you can get the google authenticator (or the IOS equivalent) and have it generate a code every 30 seconds, that you only have to enter on computers that never connected to your google account. They pretty much all have this and even other websites are starting to use that. Even Microsoft has it.
  • 0 Hide
    youssef 2010 , September 11, 2014 3:09 PM
    Quote:
    Quote:
    Quote:
    or you can also enable 2-step authorization and be a bit more protected.

    Quote:
    or you can set up your 2-step authentication and be more protected.


    dont have a phone for that. yay, i need to spend 3000$ (phone+service cost) to not be hacked...


    bro, you don't need a phone for 2 step authentication. You need to work on your communication skills and study up before you speak, cause you are really sounding so stupid.




    My thoughts exactly
  • 0 Hide
    stingstang , September 11, 2014 8:54 PM
    What if....a report like this is faked once someone figures out how to record all new passwords made to the account?
  • 0 Hide
    fkr , September 12, 2014 8:39 AM
    Quote:
    Quote:
    Quote:
    Quote:
    or you can also enable 2-step authorization and be a bit more protected.

    Quote:
    or you can set up your 2-step authentication and be more protected.


    dont have a phone for that. yay, i need to spend 3000$ (phone+service cost) to not be hacked...


    bro, you don't need a phone for 2 step authentication. You need to work on your communication skills and study up before you speak, cause you are really sounding so stupid.



    except that it requires a phone... explain how you bypass the phone part?

    Quote:
    Quote:
    Quote:
    or you can also enable 2-step authorization and be a bit more protected.

    Quote:
    or you can set up your 2-step authentication and be more protected.


    dont have a phone for that. yay, i need to spend 3000$ (phone+service cost) to not be hacked...



    with verizon prepay you can bring your own phone or get a moto g for $100 then service is only $50/month with unlimited talk and text and 1 gig data


    i figure in the a 2 year plan thats required for it.
    100$ up front, 50 a month how long is the plan required? lets go with the 2 year that i remember, so it comes to 1300$ to enable 2 step for 2 years.


    the plan is a prepay so you do not have any comitment as far as contract
React To This Article