5 million Gmail passwords leaked; SG cybersecurity team issues advisory

5 million Gmail passwords leaked; SG cybersecurity team issues advisory

SINGAPORE - Five million Gmail accounts and their passwords were posted on a Russian Bitcoin forum on Tuesday, prompting the Singapore government's cyber security team to issue an advisory.

The Singapore Computer Emergency Response Team (SingCert), a unit of the Infocomm Development Authority, said on Thursday afternoon that Google has reset the affected accounts, and advised affected users to change their passwords immediately.

The breach started gaining attention from the Russian media on Wednesday, and the news was subsequently posted on Reddit, an entertainment, social networking service and news website.

According to tech website Mashable, many of the compromised passwords are old, and the account details were taken from websites where the affected Gmail addresses were used for registration.

The report added that there is no cause for concern if one's Gmail account password is unique - that is, not used for other websites or accounts.

One Reddit user nicknamed 'InternetOfficer' said that while his password was on the list, it is not his Gmail account password, but one used for other services.

"This proves that the hackers hacked into some other service where gmail address[es] are used and got the password of that service not gmail password."

Another Reddit user, 'tremens', added: " [The list] claims my email address and login is leaked, but the password it shows (or at least the first two characters) is NOT from a password I've ever used on Gmail, but it does match a password I've used on bull**** I absolutely don't care about."

Google said in a blog post on Wednesday that only two per cent of the username and password combinations might have worked, and that its "automated anti-hijacking systems would have blocked many of those login attempts."

"It's important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems," Google stressed.

"Often, these credentials are obtained through a combination of other sources."

SingCert recommended in its advisory that users should set up recovery options and enable 2-factor authentication for their Google account.

There are a few online resources users can use to check if their accounts are affected, such as isleaked and haveibeenpwned.


More about

Purchase this article for republication.



Your daily good stuff - AsiaOne stories delivered straight to your inbox
By signing up, you agree to our Privacy policy and Terms and Conditions.