Google has called the dumping of user credentials “one of the unfortunate realities of the Internet today”
In a blog post by Borbala Benko, Elie Bursztein, Tadek Pietraszek and Mark Risher at the Google Spam and Abuse Team, it acknowledged a dumping of data, but said that fewer than two per cent of the username and password combinations might have worked, and those would have mostly been blocked by its automated anti-hijacking systems.
It said: “We’re always monitoring for these dumps so we can respond quickly to protect our users. This week, we identified several lists claiming to contain Google and other Internet providers’ credentials. We’ve protected the affected accounts and have required those users to reset their passwords.
“It’s important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems. Often, these credentials are obtained through a combination of other sources.”
Instead, it said that these credentials were the result of reusing the same username and password across websites, and if awebsite is hacked, those credentials could be used to log into the others or attackers can use malware or phishing schemes to capture login credentials. So was this a credential horror story for Google, or an opportunity to promote stronger authentication?
TK Keanini, CTO of Lancope
“The only thing that makes five, ten or even 20 million stolen accounts useful is when they work, and by changing the password or moving to two-factor authentication, you bring the value of these leaked accounts to zero! Do your part in making it harder for the bad guys.
“There is some pretty solid evidence that this was not a attack on Google directly, as users have reported that accounts were from 20+ other sites on the Internet dating back 2008. If you are still using the same password for an account you established in
2008, you have a near zero chance of it being secure. Many of these sites are PHP based, so it may be a zero day in PHP, or I would not be surprised if this is just the aggregation of years of phishing and Heartbleed attacks as those two alone could have generated these types of numbers over the years.”
Troy Gill, manager of security research at web and email security company AppRiver
“We often see a single themed phishing or malware campaign coming in by the millions of messages per hour and that figure is just a fraction of the actual bandwidth of the email campaign. Given the fact that some cyber crime groups are capable of sending millions of phishing or malicious messages per hour, it is plausible that a group may have accumulated five million Gmail username/password combos over the course of many years.
“Even if just two per cent of these are still valid, that equates to 100,000 stolen credentials, which is still significant. Not to mention the high likelihood that many of these users are also currently using the very same password to access other online accounts. This should serve as a reminder of the danger of using passwords across multiple accounts, since a username or password discovered here could also be used to gain access to a different account. This is a great opportunity for all Gmail users(not just those who think they have been effected) to update their password with a new and strong replacement.”
Peter Armstrong, director of the cyber security business at Thales UK
“Breaches like this serve to remind us of the not just the sheer scale on which these cybercrime groups now operate, and the lengths that they will go to obtain personal details. Security threats are evolving in countless different forms on a daily – if not hourly – basis. Large organisations, such as Google, need a robust approach to cyber attacks, one that anticipates risk and aims to prevent hacks, with a clear plan in place for when they do happen. This means regular checks for malware and vulnerabilities.
“Cyber security is also a personal issue. Whilst organisations do have a responsibility to do protect private customer data, mistakes will happen and consumers themselves can help limit the effect under the circumstances. Using strong passwords and enabling two-step log in verification can help mitigate the threat to personal data in these circumstances. It is also advisable to avoid using the same password for multiple application environments and change them regularly using upper case, lower case and special characters: this can be a pain but it really does make a difference.”