When news reports broke earlier this week about a massive leak of Google account passwords, there must have been plenty of users who took a big gulp.
Would their email address and password be amongst the alleged five million published on a Russian web forum? Was it possible that Google itself had been hacked, spilling secret information about its users?
There was certainly a lot of panic, but the truth was rather less traumatising.
No, Google didn’t suffer a security breach. Instead, it’s most likely that the credentials were amassed by hackers through a combination of keylogging malware, phishing schemes, and the careless reuse of the same passwords across multiple websites.
That last one is particularly important, and rarely understood by the typical computer user.
If you’re in the habit of using the same password on different websites you are playing a dangerous game of Russian Roulette with your online safety. Because if just one of the websites that you use gets hacked, and attackers manage to get their paws on a cracked password database, they will almost certainly try that password against your other online accounts.
Of course, people normally reject the idea of choosing different passwords for every website they use, and roll their eyes at the thought of remembering scores or even hundreds of complicated gobbledygook passwords that are hard for hackers to crack.
The reality is, of course, that simple password management programs can do all the remembering for you – and even suggest much safer passwords than ones the typical computer user is likely to dream up.
Regardless of how the Gmail passwords were accumulated, however, were the credentials dumped on Russian internet forums rapidly exploited en masse by plundering hackers?
Google says they weren’t. Indeed, in a blog post, the search giant’s security team claimed that only 2% of the credentials would have worked, and “an even smaller number used successfully”.
That’s a big difference from claims initially made that 60% of the passwords were legitimate.
Of course, none of this is to say that you can afford to be lackadaisical about your account security.
If you are concerned that your details might be amongst those that were published online, visit a site like haveibeenpwned.com. It’s run by respected security expert Troy Hunt, and can tell you not just if your email address was included in this stash, but in plenty of other password breaches that have occurred in the past.
Furthermore, make a point of ensuring that your online accounts are properly protected from attacks. Not just by choosing safer, harder to crack, unique passwords – but also by enabling features such as Two Factor Authentication (2FA) that will make it much harder for hackers to gain access.
More and more websites these days offer 2FA, just like your online bank probably does.
In Google’s case it’s called 2-step verification, and is explained simply in the following YouTube video.
Take better care of your online accounts, and chances are that you won’t find yourself panicking quite so much next time a scare story about a breach hits the headlines.
This article originally appeared on the Optimal Security blog.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.