In a quick response to a leaked list of millions of Gmail credentials, Google has clarified it wasn’t breached and that only two percent of username and password combinations might have worked.
News spread on Wednesday of a file published on a Russian Bitcoin forum containing nearly five million username and password combinations, which mostly consisted of Gmail users, but also Yahoo and Russia’s yandex.ru. According to Troy Hunt, Australian security researcher and operator of compromised password checker, haveibeenpwned.com, the file contained 123,000 yandex.ru email addresses and passwords.
Initial responses to the leaked file on Reddit suggested some of the credentials could have been old, meaning username and password combinations in the file were no longer valid leaving little impact to users on the list; however security experts that have parsed the file believe that while the account credentials were acquired over several years, many of them remain current.
Late Wednesday, Google’s Spam and Abuse team issued a statement denying the credentials in the file were compromised as a result of a breach of its systems, pointing instead to “other sources”, such as people using the same password across other sites which may have been breached, as well as credential stealing malware and phishing.
“It’s important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems. Often, these credentials are obtained through a combination of other sources,” said Google.
The company also said that the vast majority of credentials couldn’t be used to gain entry to Gmail accounts.
“We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords,” said Google.
Still, two percent of five million amounts to 100,000 accounts with credentials now in the public domain.
Similar to Apple’s response following last week’s Celebgate iCloud leaked photo scandal, Google advised users to activate two-factor authentication in addition to its other account recovery options.
Following the breach of celebrities’ iCloud accounts, Apple CEO Tim Cook promised to “broaden” its use of two-factor authentication in iCloud in addition to sending email and push notification alerts to users when an account’s password is changed, as well as when a new device is used to restore or log into an iCloud account.
While Apple did enable two-factor authentication in iCloud, a weakness spotted by researchers last year was that it didn’t enable the additional security for iCloud backups, meaning that if an attacker had the right username and password, they would be able to download backed up photos.