After Gmail usernames and passwords for nearly five million accounts were leaked online, Google quickly moved to calm user concerns and confirmed that the majority of the credentials wouldn't be very useful to those aiming to hijack accounts with the information.
On Wednesday, a forum member on Bitcoin Security posted the credentials, stirring up a frenzy. But later that day, Google's Spam and Abuse Team took to a company blog to address the credential dump.
Google said that, during this week, it had “identified several lists claiming to contain Google and other internet providers' credentials.” After looking into the incident, however, the company found that less than 2 percent of the exposed username and password combinations “might have worked” for attackers.
Furthermore, its “automated anti-hijacking systems,” which include two-step verification to secure user accounts, would have thwarted many of fraudulent login attempts, Google explained.
As a safeguard, the company still required users of affected accounts to reset their passwords. But it appeared that most of the posted passwords were either old, or not listed with corresponding Gmail addresses, various news reports revealed.
“It's important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems,” the blog post said. “Often, these credentials are obtained through a combination of other sources. For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others. Or attackers can use malware or phishing schemes to capture login credentials,” Google said.
As a standard security precaution, Google advised users to implement strong passwords for their accounts, and to upgrade to two-step verification as well as update their contact information used for Gmail account recovery, like phone numbers or secondary email addresses.