Nearly 5 million Gmail passwords were posted online by a hacker forum Wednesday, something Google on its security blog called "one of the unfortunate realities of the Internet today." But what can you do about it?
Photo credit: AHMAD FAIZAL YAHYA/Shutterstock
You might want to know if your Gmail account was compromised in the first place. Some tech sites are driving people to check using a website tool called IsLeaked.com. On this website, you enter your Gmail address and it spits out whether or not your username and password might have been publicly leaked.
But should you use this tool?
The website states that it doesn't collect the email addresses that are fed to it. As a further protection, it says that it also allows a user to replace up to three characters in their email address with asterisks. It gives this example: email@example.com enter firstname.lastname@example.org. This fragment of an email address is used to look for patterns.
"We respect your privacy," the site stated.
But some, like blogger James Watt, are wary of the website. Why? Because the first evidence of the leak on a Russian forum goes back to Sept. 9. The website IsLeaked, however, Watt found was created on Sept. 8.
"If someone knew about the password leak on the 8th, why would they quietly make a website and then wait for someone else to break the story?" Watt wrote. "If they were truly trying to help, why not break the story themselves and thus ALERT users?"
TheNextWeb also didn't recommend using IsLeaked.com just in case the addresses could be used for spam later.
IsLeaked.com told TheBlaze that it first discovered a leak of passwords from the Russian search engine Yandex. The creators of IsLeaked.com said the leak came on Sept. 7. The website creators identified themselves to TheBlaze only as a "small team of IT specialists" and would not divulge their names or where they are based. The next day, they told TheBlaze in an email, was another leak from mail.ru, which they said is a large email service in Russia. Then came the Gmail leak.
"Thus we decided to translate our website to English for people that will able to check their emails, because Gmail is a worldwide service," IsLeaked creators wrote.
If you want to become more secure, you don't have to check if your account was compromised in the leak. You could just update your password, but consider avoiding the ones on this list, as they're considered some of the most insecure password choices. For even more security, you could consider establishing a two-step verification system with your Gmail account, which would require another verification source if someone attempted to log into your account from an unknown device.
As for the extent of the leak, Google wrote on its blog that less than 2 percent of the usernames and passwords were actually valid. It also said that its "anti-hijacking systems would have blocked many of those login attempts."
The server has taken steps to protect the leaked accounts, requiring those users to reset passwords.
Google also stated that the leak was not the result of a breach of its own system.
"Often, these credentials are obtained through a combination of other sources," Google said.
Front page image via via Gil C/Shutterstock.