Skip to main content

5 Million Google Passwords Show Up On Russian Forums

Peter Kruse, the chief technology officer of CSIS Security Group in Copenhagen, Denmark, warns that 5 million Google account credentials surfaced on Tuesday on multiple Russian cybercrime forums. Google patrons are now urged to change their password and activate 2-step authentication. This discovery also includes stolen credentials from other web-based mail providers.

The good news is that the credentials stolen by cyberthieves may be as old as three years, if not older. That means many Google customers may not be at risk if they’ve recently changed their password. Still, the theft is alarming given that many Web surfers don’t update their login credentials on a regular basis.

"The security of our users' information is a top priority for us," a Google spokesperson told Govinfosecurity. "We have no evidence that our systems have been compromised, but whenever we become aware that accounts may have been, we take steps to help those users secure their accounts."

Kruse said that the data was dumped on several Russian cybercrime forums and shared through different peer-to-peer services. The origin of the data dump is unknown, but there’s a good chance the sensitive information was provided by several sources.

“We believe the data doesn’t originate from Google directly,” Kruse told PCWorld in an email. “Instead it’s likely it comes from various sources that have been compromised.”

According to the Govinfosecurity report, there’s also a 109 MB text file in circulation that lists Google user names and email addresses. This file, presumably retrieved by CSIS Security Group, does not contain the passwords, but there are reports of versions that do carry the passwords. This is in addition to the data dump on the Russian cybercriminal forums.

There’s speculation that the stolen 5 million credentials are only the tip of the proverbial iceberg. Morten Kjaersgaard, CEO of Heimdal Security, theorizes that the actual data dump could be substantially larger. There’s also a possibility that the current dump was sold by hackers to someone who then posted the info on a single forum.

As previously stated, Google patrons should change their password on a regular basis. They should also use Google’s two-step authentication process, which includes an authenticator app for Android and Apple’s iOS platform. This method is a bit of a hassle, but it’s better than having the user’s sensitive information floating around the data-hungry cybercriminal community.

Follow Kevin Parrish @exfileme. Follow us @tomshardware, on Facebook and on Google+.

  • The3monitors
    Yet the majority of cell phone services want us to login to google for services. Maybe this might be a bad thing.
    Reply
  • allawash
    A friend of mine just had his gmail account compromised in the last two weeks, was sending out automated phishing/scam emails.
    Reply
  • Emanuel Elmo
    or you can also enable 2-step authorization and be a bit more protected.
    Reply
  • alidan
    or you can also enable 2-step authorization and be a bit more protected.
    or you can set up your 2-step authentication and be more protected.

    dont have a phone for that. yay, i need to spend 3000$ (phone+service cost) to not be hacked...
    Reply
  • fkr
    or you can also enable 2-step authorization and be a bit more protected.
    or you can set up your 2-step authentication and be more protected.

    dont have a phone for that. yay, i need to spend 3000$ (phone+service cost) to not be hacked...


    with verizon prepay you can bring your own phone or get a moto g for $100 then service is only $50/month with unlimited talk and text and 1 gig data
    Reply
  • Emanuel Elmo
    14149042 said:
    or you can also enable 2-step authorization and be a bit more protected.
    or you can set up your 2-step authentication and be more protected.

    dont have a phone for that. yay, i need to spend 3000$ (phone+service cost) to not be hacked...

    bro, you don't need a phone for 2 step authentication. You need to work on your communication skills and study up before you speak, cause you are really sounding so stupid.

    Reply
  • Amdlova
    That sucks... And i thinking i Will have The lost password to my acc ;d dam russians
    Reply
  • alidan
    14149823 said:
    14149042 said:
    or you can also enable 2-step authorization and be a bit more protected.
    or you can set up your 2-step authentication and be more protected.

    dont have a phone for that. yay, i need to spend 3000$ (phone+service cost) to not be hacked...

    bro, you don't need a phone for 2 step authentication. You need to work on your communication skills and study up before you speak, cause you are really sounding so stupid.

    except that it requires a phone... explain how you bypass the phone part?

    14149256 said:
    or you can also enable 2-step authorization and be a bit more protected.
    or you can set up your 2-step authentication and be more protected.

    dont have a phone for that. yay, i need to spend 3000$ (phone+service cost) to not be hacked...


    with verizon prepay you can bring your own phone or get a moto g for $100 then service is only $50/month with unlimited talk and text and 1 gig data

    i figure in the a 2 year plan thats required for it.
    100$ up front, 50 a month how long is the plan required? lets go with the 2 year that i remember, so it comes to 1300$ to enable 2 step for 2 years.
    Reply
  • sjc1017
    I suddenly had someone resetting my guild wars 2 account yesterday so maybe this is connected to the original theft of GW 2 login details shortly after that launched.
    Reply
  • christinebcw
    Of course, if we only had 14-layer verification, we'd be even more protected - until they took all 14. "Well, with 28-!"
    Reply