Another massive list of email addresses and alleged corresponding passwords was leaked online Tuesday, this time on a Russian Bitcoin security forum called btcsec.com.
The list of 5 million credentials has since been taken down and Google responded to the incident by stating no evidence shows its systems have been compromised.
“The security of our users is of paramount importance to us,” said a Google representative. “Whenever we become aware that an account has been compromised, we take steps to help our users secure their accounts.”
The user that released the personal information, identified as ‘tvskit,’ claimed 60 percent of the email and password combinations were valid. However, researchers believe the list appears to be quite outdated and likely obtained from past breaches.
Peter Kruse, Chief Technology Officer at CSIS Security Group, said, “We can’t confirm that it is indeed as much as 60 percent, but a great amount of the leaked data is legitimate.”
CSIS researchers estimate the data is about three years old based on connections from previous leaks. Researches confirmed various logins were never actually used for Gmail or Google accounts, but for other website usernames, instead.
Tripwire’s Chief Technology Officer Dwayne Melancon said the incident is not surprising. “Gmail’s large user base makes it a popular target and we’ve also seen that many users are eager to respond to phishing campaigns, putting their login details into bogus sites.”
“Additionally, those same users may also be inclined to keep the same password for an extended period of time,” said Melancon. “Put all of this together, and a high percentage of these credentials may very well still be valid.”
Although it’s easy for users to create ‘disposable’ Gmail accounts for certain websites, the question is: “How many of these credentials lead to valuable information, and how many lead to low-value accounts?”
Melancon said, “Of course, even a low-value email account becomes a weapon in the hands of phishers and scammers.”
Regardless of where the data is coming from, users are recommended to change their passwords on websites with usernames associated with their Gmail address.
“Google’s increased emphasis on multi-factor authentication is a great move toward more security, particularly for those using Gmail for work or active personal communication,” said Melancon.
As always, use complex, unique passwords for any account of value and add multi-factor authentication whenever possible.
Read More Here…