There's no need to panic about the nearly five million compromised Gmail passwords that appeared in a Russian Bitcoin security forum this week, according to Google.
Fewer than 2% of the compromised username and password combinations work, Google's spam and abuse team said in a blog post late yesterday. They also say Gmail's automated anti-hijacking systems would block many potential login attempts.
"We've protected the affected accounts and have required those users to reset their passwords," team members wrote in the blog post. "One of the unfortunate realities of the Internet today is a phenomenon known in security circles as "credential dumps" — the posting of lists of usernames and passwords on the Web. We're always monitoring for these dumps so we can respond quickly to protect our users."
Gmail is Google's free, cloud-based email service that is integrated with Google Docs.
Google responded this week to reports that hackers had gained access to the credentials of five million Gmail users. User name and password combinations appeared on Russian cybercrime forums.
Peter Kruse, head of the eCrime unit at CSIS Security Group in Copenhagen, said Wednesday that most of the nearly five million stolen Gmail passwords are about three years old, though many are still legitimate and functioning.
He said CSIS experts suspect several hackers worked together, possibly using an endpoint compromise.
Google was quick to note that its systems had not been hacked.
"It's important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems," Google's spam and abuse team wrote. "Often, these credentials are obtained through a combination of other sources."
John Shier, a senior security advisor with U.K.-based security company, Sophos, said some Gmail users have reported that their usernames and passwords were part of the dump, lending credence to claim that these are legitimate Gmail credentials. He, too, doubts followed a hack into Google's systems.
Instead, the compromise likely stems from people being lax in their use of unique, strong passwords.
"Let's say, you want to create a new account on Reddit," he explained. "It will ask you for a user name and very often that user name is your email address. And then you use the same password. Very often people use their Gmail address as their user name for a variety of different sites — just to identify themselves."
Google's team has the same theory.
"If you reuse the same username and password across Websites, and one of those Websites gets hacked, your credentials could be used to log into the others," they noted. "Or attackers can use malware or phishing schemes to capture login credentials."
Sign up for CIO Asia eNewsletters.