There are only two things you need to know about the gmail mess from Wednesday:
- It was not a hack of 5 million gmail accounts.
- Use Google to check the integrity of your account, not a third party site like isLeaked.com.
And then go set up two-step authentication on your email.
1. Not a hack
When an account has been hacked, it has been compromised. Someone other than the owner has the digital keys to the account and has (usually) done something nefarious with it.
In the case of Wednesday’s latest identity leak, about 5 million gmail accounts were posted publicly on a Russian website, along with passwords that might or might not have been associated with the accounts at some point in time.
The accounts and passwords did not come from Google servers, per the company. And Google asserts that fewer than 2% of the “username and password combinations might have worked.” The addresses represent about 1% of all Google accounts, based on numbers Google released in 2012.
Not. A. Hack. Even if news orgs say it’s so.
2. Don’t use isLeaked.com, use Google
Lots of media outlets pointed readers to isLeaked.com to check their email addresses against the now-pulled-from-view list of email accounts and passwords.
Google has a security tool you can use to check your account for suspicious activity. While you’re there, set up two-factor authentication to minimize the risk that you’ll lose your Google credentials.
Update, 2:30 Sept 11: Watt has updated his analysis
3. Practice safe email: use two-step authentication
Here’s how Google implements two-factor authentication:
- You log in to gmail as usual.
- Google asks you to input a series of numbers, a verification code, that it has texted to your cellphone.
- Successfully pass those two steps and you have access to your Google account.
There are things you can do to access your account when you don’t have your cellphone, and you can save specific machines so that only your password is required to access your accounts. (Obviously, don’t do that on a public machine!)
Public data breaches are no longer the exception. They are the rule.
Protect yourself with two-step authentication. Create a decent password that is a single-use item for important accounts (bank, email, social media accounts).
And take the headlines and tweets with large dash of salt.
— KnowEm?™ (@KnowEm) September 10, 2014
Millions of Gmail accounts hacked, was yours one of them? http://t.co/Pb31no2nuJ
— Dave Winer ☮ (@davewiner) September 11, 2014
— AJ+ (@ajplus) September 10, 2014
5 million Gmail paswords were hacked and leaked, here’s how to check yours: http://t.co/T3fDJjOowp
— The Mary Sue (@TheMarySue) September 11, 2014
:: At TMV: Google accounts source of the latest “credential dump”
:: edited at 11:51 pm (re-ordered, put the tweets at the bottom)