Up to 5 million passwords for Gmail accounts were posted on a Russian Bitcoin forum on Wednesday. As security incidents go, the password dump is a non-event, as the list seems to be a compilation of previous breaches over the past years and not a fresh data dump.
Most of the passwords were more than three years old, Peter Kruse, a partner and eCrime specialist at Denmark’s CSIS Security Group, said on Twitter.
Even so, this dump is “still a useful reminder” to keep separate things separate, said Mike Lloyd, CTO of Red Seal Networks. It’s easy to take the easy path and use the same password in multiple places, but the attackers will take advantage of that.
Despite the fact that these passwords may be stale and out-of-date for Gmail doesn’t mean those passwords may not still be in use on other accounts, security experts warned. Password reuse, despite recent breaches and dire warnings, is still rampant.
Hackers will test the stolen credentials on websites where valuable information can be gleaned, like those of banks and other email service providers, predicted Ryan Wilk, director of customer success at NuData Security.
Google said only 1 percent to 2 percent of the passwords were actually still in use, and those accounts have been secured. There are number of sites available which can be used to look up whether an email address is in the list. Troy Hunt, the security researcher behind HaveIBeenPwned.com, said on Twitter there was about 18 percent overlap between this list and those from other breaches in his database.
It’s also not known whether this dump is related to the list of 1 billion usernames/passwords stolen by a Russian cybercrime group.
While it’s important to have strong, unique passwords, it is just as important to use two-factor authentication wherever possible, especially for high-value accounts such as email and financial accounts. Google offers two-factor authentication, and users should enable the feature so that if their passwords ever get leaked, they are still protected.
“If we object to the inconvenience, then bad guys will align their attacks to match our laziness,” Lloyd said.