News has broken that five million Gmail addresses and passwords have been posted to a Russian Bitcoin forum. However, Google has stated that the leak is not the result of a security breach, but rather the work of a long phishing campaign against internet users. In fact, most of the passwords have long been changed and accounts suspended.
Those that have looked through the text document noted that it did not only contain Gmail credentials, but also login information for Yandex and a single Yahoo address. The variety of passwords and email addresses lends credence to Google’s claim that there has been no leak; although many news sites reporting on the issue have advised used to change their passwords as a precaution.
Security experts also point out that not all of the passwords and email addresses are for Gmail. Some involve websites that require the user to sign up using an email address, although this situation would endanger users who use the same password for every account. It is advised that every account be linked to a separate password in the event of a security breach, and that two-step verification be employed on sites that allow it.
One more issue that has arisen from the revelation is about the website that has been the default place for users to check if their accounts are on the list. While many news portals have been linking the IsLeaked.com, none of them had questioned who was behind the website. Blogger James Watt did some digging and discovered that the site was created two days before the leak had happened. It may not be confirmed that the IsLeaked website is another elaborate phishing scheme, but in this case it would be prudent to err on the side of caution.
Update: Google has posted an update on the matter on its Online Security Blog. According to Google, less than 2% of the username and password combinations would have worked, and the company has alerted those whose accounts may be compromised and required them to reset their passwords.