Personal Technology

5 million Google accounts in the wild: data dump, not a hack

There are only two things you need to know about the gmail mess from Wednesday:

  1. It was not a hack of 5 million gmail accounts.
  2. Use Google to check the integrity of your account, not a third party site like

And then go set up two-step authentication on your email.

1. Not a hack

When an account has been hacked, it has been compromised. Someone other than the owner has the digital keys to the account and has (usually) done something nefarious with it.

In the case of Wednesday’s latest identity leak, about 5 million gmail accounts were posted publicly on a Russian website, along with passwords that might or might not have been associated with the accounts at some point in time.

The accounts and passwords did not come from Google servers, per the company. And Google asserts that fewer than 2% of the “username and password combinations might have worked.” The addresses represent about 1% of all Google accounts, based on numbers Google released in 2012.

Not. A. Hack. Even if news orgs say it’s so.

2. Don’t use, use Google

Lots of media outlets pointed readers to to check their email addresses against the now-pulled-from-view list of email accounts and passwords.

James Watt (@Gtwy) points out that isLeaked was registered only two days before the data dump. Don’t give your email address to any ole website, folks!

Google has a security tool you can use to check your account for suspicious activity. While you’re there, set up two-factor authentication to minimize the risk that you’ll lose your Google credentials.

Update, 2:30 Sept 11: Watt has updated his analysis

3. Practice safe email: use two-step authentication

Here’s how Google implements two-factor authentication:

  • You log in to gmail as usual.
  • Google asks you to input a series of numbers, a verification code, that it has texted to your cellphone.
  • Successfully pass those two steps and you have access to your Google account.
two step authentication
How two-step authentication works. Code texted to your cellphone; you enter it on website. Image: Google.

There are things you can do to access your account when you don’t have your cellphone, and you can save specific machines so that only your password is required to access your accounts. (Obviously, don’t do that on a public machine!)

Public data breaches are no longer the exception. They are the rule.

Protect yourself with two-step authentication. Create a decent password that is a single-use item for important accounts (bank, email, social media accounts).

And take the headlines and tweets with large dash of salt.





:: At TMV: Google accounts source of the latest “credential dump”
:: edited at 11:51 pm (re-ordered, put the tweets at the bottom)

By Kathy E. Gill

Digital evangelist, speaker, writer, educator. Transplanted Southerner; teach newbies to ride motorcycles! @kegill

6 replies on “5 million Google accounts in the wild: data dump, not a hack”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.