Leaked Google Credentials Didn't Come From Google Breach, Says Google

By Kevin Parrish
published

On Wednesday, we reported that 5 million Google credentials, consisting of email addresses and passwords, surfaced on Russian cybercriminal forums. Security experts said that the data was 3 years old, if not older, meaning customers who change their passwords on a regular basis are likely not affected by the leak.

According to the Google Spam & Abuse Team, less than 2 percent of that information might have worked. However, the company's automated anti-hijacking systems would have blocked any attempt to use those credentials. The affected accounts are now protected, and Google has contacted the account owners, stressing that their passwords need to be changed immediately.

"It's important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems," the team said. "Often, these credentials are obtained through a combination of other sources."

We've seen this song-and-dance before. Web surfers who use the same login credentials across a number of services and websites are highly at risk. While remembering a zillion passwords can be a real pain, it's better than the financial agony cybercrooks can cause by breaking into the victims' bank accounts.

"We're constantly working to keep your accounts secure from phishing, malware and spam," the team added. "For instance, if we see unusual account activity, we'll stop sign-in attempts from unfamiliar locations and devices. You can review this activity and confirm whether or not you actually took the action."

Naturally, fending off hackers includes using a super-strong password that contains letters and numbers. For those with a bad memory, keep those passwords written down in a log. Two-step protection is also great, requiring the customer to use their smartphone to generate an authentication code. The team also points users to g.co/accountcheckup, which lists a number of Google-based security controls.

Peter Kruse, the chief technology officer of CSIS Security Group in Copenhagen, Denmark, said on Wednesday that the Google-based data was dumped on several Russian cybercrime forums and shared through different peer-to-peer services. The origin of the data dump was unknown, but there's a good chance the sensitive information was provided by several sources.

Kruse said that the payload didn't seem to originate from Google directly, but rather from various sources that were compromised.

Follow Kevin Parrish @exfileme. Follow us @tomshardware, on Facebook and on Google+.

Kevin Parrish
Topics
Google
Security
10 Comments Comment from the forums
  • junkeymonkey
    its everyone else's fault other then your own --- usa all the way---
    Reply
  • irish_adam
    its everyone else's fault other then your own --- usa all the way---

    if you sign up to other websites using your gmail address and password then yeah it kinda is. Remembering loads of passwords is hard but even 2 different passwords help. One for your actual email accounts and then one to sign up to forums and other sites. Small sites like forums are prime targets for hackers as the security tends to be lax. All they have to do then is see if the password used on the forum is the same as the email address you used to validate the account. You can hardly blame google for that
    Reply
  • junkeymonkey
    everyone thinking the cloud is so great and want there files and life ''out there'' and depend one a out of your control security on a computer that's not yours at your house I mean what do they expect??

    like windows 7 and above your e-mails and info is on microsofts server some where in the world and not on your rig like it was with outlook in vista and below so if all your stuff is on a server in india what control or laws from here guard all this stuff??
    Reply
  • iatemyelf
    its everyone else's fault other then your own --- usa all the way---

    if someone steals from you... it's THEIR fault, not yours. stop victim blaming.
    Reply
  • junkeymonkey
    oh so its out there on the cloud its not your fault?? most time when you get ripped off it due to you ... you put it out there for them no one twisted your arm to do so ... you trusted them to guard your stuff and if your that stupid to believe they got your best interest in mind don't kid your self funny how they act AFTER a issue well too late then , right??
    Reply
  • Marcus52
    Google does a great job of pretending to protect your privacy - and collects more information on you than any other non-government organization.

    And if you want to try to provide a bit of security for yourself by keeping your online personae separate, they fight against you, trying to make you use your real name and expose you to the public without your consent.

    60 minutes mentioned their information gathering in one of their broadcasts, but said they think it wasn't a problem because they didn't "sell" it. Seriously? What do they gather it for then? Is it to give themselves clout, to give themselves a way of manipulating others? Like, J. Edgar Hoover didn't "sell" the information he gathered on political figures either - but he put it to use in benefiting his own agendas. He was an anti-American criminal that deliberately worked to subvert the Constitution and U.S. Supreme Court.

    So, the question becomes, if the breach came from other sites, how were all these accounts linked to Google in the minds of the investigators? They wouldn't have been unless something pointed to a common source. I don't believe Google for a second, and the comment about "We're constantly working to keep your accounts secure from phishing, malware and spam" shows that they are more interested in subverting opinion than reporting the facts and owning up to their part in creating a situation that makes it easier for criminals even if they weren't guilty of misusing the information themselves.
    Reply
  • Marcus52
    its everyone else's fault other then your own --- usa all the way---


    This kind of anti-USA comment could only come from someone totally ignorant of people, politicians, religious organizations, and business practices across the world.

    If we have any kind of dishonesty or inability to take responsibility based in our behavior, it is in large part because we learned it from our "Motherlands". In short, we are babies compared to the seasoned vets of Europe, Asia, and the Middle East when it comes to denying responsibility for our own actions or any other type of dishonest behavior.

    Our problems aren't so much founded in what we ourselves create as in the beliefs, attitudes, and behaviors we have inherited from those older societies. The question is whether our growth in areas stemming from the fundamental belief that we are all created equal in terms of our rights and how we should treat each other will overcome those societal ills before the old beliefs overcome and destroy the good coming from it.
    Reply
  • junkeymonkey
    This kind of anti-USA comment ??? explain.

    that is just the American way who takes there own blame here?? get real dude
    Reply
  • christinebcw
    Marcus, I'll bet companies have a far more vast awareness than any gov't bureaucraZy ever hoped for.
    Reply
  • Postulator
    No comments discussing the actual story? Okay, here goes.

    Google is right, they tend to ask questions when you are not using your "regular" browser - even if it's just that you've cleaned up cookies. I get a text if I try to log onto Google after a cleanup, or from IE.

    So turn on two factor authentication. Use a decent password (not "monkey", "123456", or "correcthorsebatterystaple". Use a password manager - there are plenty of free ones out there, and there are plenty of full-featured, quite expensive ones. Do not share your password. And finally, do not use one password on multiple sites.
    Reply