Claims that Gmail has been hacked and five million passwords stolen appear to be overstated at best.
The scare follows the publication by what appears to be a Russian user of a message board discussing Bitcoin security. The file contains around 4.9 million Google user names and passwords, with the original poster claiming more than 60 percent were still valid.
Google quickly shut down that claim, saying fewer than two percent of the details would potentially have worked, though in most cases its security systems would have caught out attempted abuse. To be on the safe side, it’s requiring those users to reset passwords.
Google stressed the list wasn’t the result of a breach of its security. Instead it appears the most likely solution is that it’s a compilation of user names and passwords from breaches involving other sites where accounts were linked to a Google address. It’s likely many of the pairings of details on the list consist of a Google address and a password used on another site.
Several sites, both in Russian and English, claim to check e-mail addresses against the “Google” list. Those who are told their address is on the list are then shown the first two characters of the listed password, with the rest of the characters replaced by asterisks. However, there’s been several reports of people being shown passwords which are either years out of date, or were only ever used on non-Google sites.
Given even the slender risk that some of these checking sites might simply be trying to harvest active e-mail addresses for spam or phishing, there doesn’t seem much point in using them. Instead the best response to the “leaked” list is to not panic, but to take it as a reminder to follow good password security practices such as changing passwords regularly and not reusing passwords across multiple sites that handle sensitive data.