5 million leaked Gmail passwords sounds pretty scary. But was it really?

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

When news reports broke earlier this week about a massive leak of Google account passwords, there must have been plenty of users who took a big gulp.

Would their email address and password be amongst the alleged five million published on a Russian web forum? Was it possible that Google itself had been hacked, spilling secret information about its users?

There was certainly a lot of panic, but the truth was rather less traumatising.

No, Google didn’t suffer a security breach. Instead, it’s most likely that the credentials were amassed by hackers through a combination of keylogging malware, phishing schemes, and the careless reuse of the same passwords across multiple websites.

Sign up to our free newsletter.
Security news, advice, and tips.

That last one is particularly important, and rarely understood by the typical computer user.

If you’re in the habit of using the same password on different websites you are playing a dangerous game of Russian Roulette with your online safety. Because if just one of the websites that you use gets hacked, and attackers manage to get their paws on a cracked password database, they will almost certainly try that password against your other online accounts.

Of course, people normally reject the idea of choosing different passwords for every website they use, and roll their eyes at the thought of remembering scores or even hundreds of complicated gobbledygook passwords that are hard for hackers to crack.

The reality is, of course, that simple password management programs can do all the remembering for you – and even suggest much safer passwords than ones the typical computer user is likely to dream up.

Regardless of how the Gmail passwords were accumulated, however, were the credentials dumped on Russian internet forums rapidly exploited en masse by plundering hackers?

Google says they weren’t. Indeed, in a blog post, the search giant’s security team claimed that only 2% of the credentials would have worked, and “an even smaller number used successfully”.

That’s a big difference from claims initially made that 60% of the passwords were legitimate.

Of course, none of this is to say that you can afford to be lackadaisical about your account security.

If you are concerned that your details might be amongst those that were published online, visit a site like haveibeenpwned.com. It’s run by respected security expert Troy Hunt, and can tell you not just if your email address was included in this stash, but in plenty of other password breaches that have occurred in the past.

Furthermore, make a point of ensuring that your online accounts are properly protected from attacks. Not just by choosing safer, harder to crack, unique passwords – but also by enabling features such as Two Factor Authentication (2FA) that will make it much harder for hackers to gain access.

More and more websites these days offer 2FA, just like your online bank probably does.

In Google’s case it’s called 2-step verification, and is explained simply in the following YouTube video.

Using 2-step verification

Take better care of your online accounts, and chances are that you won’t find yourself panicking quite so much next time a scare story about a breach hits the headlines.

This article originally appeared on the Optimal Security blog.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.