No, Gmail was not cracked! Don't believe bogus blogs

Do you trust every word you read on the Web?

gmail hacked

Do you trust every word you read on the Web? Worrying reports out of Russia apparently claim that Gmail was hacked and your login details were stolen. Or, at least, that's the breathless interpretation of countless bloggers and churnalists. The thing is, it's plainly not true.

In today's IT Blogwatch, your humble blogwatcher despairs at the state of Web reportage.

Владислав Мещеряков (Vladislav Mescheryakov) is lost in translation:

A Web database published 5 million usernames and passwords from Gmail accounts.

Gmail mailbox names and passwords can be used to access not only email, but all Google services.  

Emil Protalinski was one of the first to jump on the news, with this relatively sober take:

Approximately 4.93 million Gmail usernames and passwords were published to a Russian Bitcoin forum. ... The good news is that this leak doesn’t seem as massive upon further inspection.

Google...does not believe this is the result of any sort of security breach. ... It seems to combine older lists accumulated over a longer period of time. There could thus be a link to hacks of sites unrelated to...Google’s services, especially if users are choosing the same usernames and passwords for other accounts.  

Oh, OK. So no news here then. Except the Web then erupted in breathless churnalism, such as this from Jeff Stone:

Hackers appear to have dumped nearly 5 million Gmail usernames and passwords. ... A user posted a link to the log-in credentials in a security-centric corner of Reddit frequented by hackers.

Hackers from Russia and Eastern Europe have been suspected in a number of recent high-profile security lapses, including the Target theft. ... This update comes just days after 4.6 million Mail.ru accounts and 1.25 million Yandex email inboxes were illegally accessed [and] uploaded to the same Russian bitcoin forum.  

...and this from Kevin Parrish:

Google patrons are now urged to change their password. ... Google customers may not be at risk if they’ve recently changed their password. [It's] alarming given that many Web surfers don’t update their login credentials on a regular basis.

There’s speculation that the stolen 5 million credentials are only the tip of the proverbial iceberg. ... There’s also a possibility that the current dump was sold by hackers [to] the data-hungry cybercriminal community.  

Thankfully, there are clearer heads around, such as Robert Lemos's:

[It] is likely a collection of credentials from different sources, not from a breach of the company's systems, Google stated [and] that only 2 percent of the credentials would have worked.

Passwords leaked from other websites or stolen through phishing can often be collected into large credential databases. "If you reuse [credentials] across websites, and one of those websites gets hacked, your credentials could be used to log into the others," Google's spam and abuse team said.  

Meanwhile, Tony Zito, finding his email address in the trove, casts even more doubt on the original story:

Mine is not even a password ever used on Google. ... Supports their claim it's not due to a Google breach.  MORE

Update: Here's word from the horse's mouths, Google's Borbala Benko, Elie Bursztein, Tadek Pietraszek and Mark Risher:

We’re always monitoring for these dumps so we can respond quickly to protect our users. This week, we identified several lists claiming to contain Google...credentials.

Our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts. ... The leaked usernames and passwords were not the result of a breach of Google systems. ... Make sure you’re using a strong password unique to Google. Update your recovery options so we can reach you...if you get locked out of your account. And consider 2-step verification.  


Copyright © 2014 IDG Communications, Inc.

Shop Tech Products at Amazon