Hackers post millions of stolen Gmail passwords on Russian site
Millions of Gmail usernames and passwords have apparently been posted online by hackers -- although it's not clear how many are current.
A user named tvskit posted a list on a Russian bitcoin web forum with 5 million Gmail username and password pairs, as first reported by a Russian technology news site, cnews.ru.
"One of the unfortunate realities of the Internet today is a phenomenon known in security circles as 'credential dumps' -- the posting of lists of usernames and passwords on the web," Google, which runs Gmail, explained in a blog post. "This week, we identified several lists claiming to contain Google and other Internet providers' credentials."
Google told CBS News in an email, "The security of our users' information is a top priority for us. We have no evidence that our systems have been compromised, but whenever we become aware that accounts may have been, we take steps to help those users secure their accounts."
The company says it believes only about 2 percent of the passwords posted would have worked.
At least some users on the social media site reddit who found their usernames on the list of leaks agreed. One reddit user, rat, wrote: "This is not a Google leak but a collection of Gmail addresses with passwords from elsewhere. Based on the password hinted, I would wager this is from the Gawker leak way back when." Another user, alexander_b, wrote, "What has happened here is that crackers have aggregated passwords from other websites than Google. So if you're one of those who use the same password everywhere, you need to change your passwords right now."
Similar lists of usernames and passwords for Russian email sites were posted over the last few days, compromising a total of 6 million Mail.ru and Yandex accounts.
Google once again warned people not to reuse the same username and password across different websites; if one of them gets hacked, your credentials could be used to log into the others.
Users are advised to change their passwords and select a complex combination of letters, numbers and symbols to be as secure as possible. Even better, use two-step verification. Numerous web services, including Gmail, offer this option, which involves the company sending a code by text message to your phone if you try to log in from an unfamiliar device. You'll need to enter the code to gain access, to prevent hackers from getting in with a stolen password alone. Turn on this feature in Gmail by going to your account's security settings.