There are only two things you need to know about the gmail mess from Wednesday:
- It was not a hack of 5 million gmail accounts.
- Use Google to check the integrity of your account, not a third party site like isLeaked.com.
And then go set up two-step authentication on your email.
1. Not a hack
When an account has been hacked, it has been compromised. Someone other than the owner has the digital keys to the account and has (usually) done something nefarious with it.
In the case of Wednesday’s latest identity leak, about 5 million gmail accounts were posted publicly on a Russian website, along with passwords that might or might not have been associated with the accounts at some point in time.
The accounts and passwords did not come from Google servers, per the company. And Google asserts that fewer than 2% of the “username and password combinations might have worked.” The addresses represent about 1% of all Google accounts, based on numbers Google released in 2012.
Not. A. Hack. Even if news orgs say it’s so.
2. Don’t use isLeaked.com, use Google
Lots of media outlets pointed readers to isLeaked.com to check their email addresses against the now-pulled-from-view list of email accounts and passwords.
James Watt (@Gtwy) points out that isLeaked was registered only two days before the data dump. Don’t give your email address to any ole website, folks!
Google has a security tool you can use to check your account for suspicious activity. While you’re there, set up two-factor authentication to minimize the risk that you’ll lose your Google credentials.
Update, 2:30 Sept 11: Watt has updated his analysis
3. Practice safe email: use two-step authentication
Here’s how Google implements two-factor authentication:
- You log in to gmail as usual.
- Google asks you to input a series of numbers, a verification code, that it has texted to your cellphone.
- Successfully pass those two steps and you have access to your Google account.
There are things you can do to access your account when you don’t have your cellphone, and you can save specific machines so that only your password is required to access your accounts. (Obviously, don’t do that on a public machine!)
Public data breaches are no longer the exception. They are the rule.
Protect yourself with two-step authentication. Create a decent password that is a single-use item for important accounts (bank, email, social media accounts).
And take the headlines and tweets with large dash of salt.
Security Alert: Was Your Gmail Account Hacked? http://t.co/xeHpZ7NqKx by @streko via @knowem #security #Gmail #hack
— KnowEm?™ (@KnowEm) September 10, 2014
If you love gmail, hope you’ve got more than one password. 5M accounts #hacked #WCVB http://t.co/ZnCggzyahc — Pam Cross (@PamWCVB) September 10, 2014
Millions of Gmail accounts hacked, was yours one of them? http://t.co/Pb31no2nuJ
— Dave Winer ☮ (@davewiner) September 11, 2014
Now might be a wise time for you to change your Gmail password. #gmailhacked https://t.co/decpRs0h5u
— AJ+ (@ajplus) September 10, 2014
Find out if your Gmail password was 1 of the 5 million hacked: http://t.co/BrumQsOJuT pic.twitter.com/LYDVLC7vKY — POPSUGAR Tech (@POPSUGARTech) September 11, 2014
5 million Gmail paswords were hacked and leaked, here’s how to check yours: http://t.co/T3fDJjOowp
— The Mary Sue (@TheMarySue) September 11, 2014
:: At TMV: Google accounts source of the latest “credential dump”
:: edited at 11:51 pm (re-ordered, put the tweets at the bottom)
6 replies on “5 million Google accounts in the wild: data dump, not a hack”
@Webroot I wrote about it last night >
5 million Google accounts in the wild: data dump, not a hack http://t.co/hNURBak3GF
5 million Google accounts in the wild: data dump, not a hack http://t.co/upmHBzN5v9 via @kegill
.@Gtwy LOL – here’s both:
5 million Google accounts in the wild: data dump, not a hack
FYI – I’ve quoted you on #google #gmail leak
[…] (Snicker: the most popular mobile device used to read gmail? The iPhone.) Logo via Flickr, CC. :: Follow me on Twitter :: More at WiredPen: a data dump, not a hack […]
@DanTGilbert Not a hack, data dump w/most pswds not viable.
@KnowEm overstates threat in headline.