PSA: 5 million Gmail Username/passwords leaked

[Red Iron Crown]

Apparently an older list of Gmail usernames/passwords has been leaked. Change your passwords, especially if you don't do so regularly.

Edit: You can check if your account is compromised here, be patient as the site is getting hammered. There are questions about the legitimacy of the account checking site, so I have removed the link.

Edited September 11, 2014 by Red Iron Crown
Removed link.

[Kinglet]

I am safe and not leaked.

[Endersmens]

The link takes me to a 502 error. And I'm kinda worried. I started my accound 4-5 years ago.

[Red Iron Crown]

The link takes me to a 502 error. And I'm kinda worried. I started my accound 4-5 years ago.

Probably best to change your password to be on the safe side.

[ZedNova]

Well, crap. Thanks for the heads up Crown!

[Trann]

Not entirely factual: if you signed up for a web site with your gmail account then used the same password at the site that you use for gmail, you'd be at risk.

That said, the passwords on file are apparently old (sometimes by years). This doesn't preclude the fact that it may include current passwords.

A better thread here: http://www.reddit.com/r/technology/comments/2fzrdt/5_million_gmail_usernames_and_passwords_leaked/

Email list without passwords: https://mega.co.nz/#!rgFDDRSD!QyyLxZNnR8i9fF_aNkKI-wUIUV3fjX5o0dxdl-bE3zQ

Don't plug your userid into any web site. Do the research yourself (ie, check the list).

[Seret]

Cheers for that list Trann.

Your Google account password will be safe if it's unique, but it's probably a good time to switch to two-factor authentication on your Google account if you haven't already. They can't get your password by hacking Google, for the simple reason that Google doesn't know your password. Any passwords they've got are from other sources.

[Red Iron Crown]

That list is great, thanks for posting it. Kinda hard to keep my Gmail userid out of circulation, it is my primary email address.

[Trann]

I try to use my powers for good.

And using your Gmail account to register on a site isn't the problem. It's more about common passwords between systems. Even if your ID was on the list, if you used unique passwords on each host then only one site would be at risk (the one which got hacked).

Personally, I've yet to delve into 2-factor but I do use passphrases and diceware passwords which are fairly robust.

Good luck, all.

[pxi]

And using your Gmail account to register on a site isn't the problem. It's more about common passwords between systems. Even if your ID was on the list, if you used unique passwords on each host then only one site would be at risk (the one which got hacked).

This really is the bit to take from all of this.

Now as to things like this:

Edit: You can check if your account is compromised here, be patient as the site is getting hammered.

You know what I find funny about this? The world and their wife is busy feeding their gmail addresses to a site they know nothing about. I'll leave it to you to ponder what benefit there is to amassing a list like that.

[Red Iron Crown]

You know what I find funny about this? The world and their wife is busy feeding their gmail addresses to a site they know nothing about. I'll leave it to you to ponder what benefit there is to amassing a list like that.

Email addresses are not private in any way. I truly do not care who has it, I've used the same one for over a decade and it is likely in every spammer's database already. Trying to keep your email address hidden is attempting security through obscurity.

[pxi]

Email addresses are not private in any way. I truly do not care who has it, I've used the same one for over a decade and it is likely in every spammer's database already. Trying to keep your email address hidden is attempting security through obscurity.

Security through obscurity it may be, but here's the thing, I'm not doing the spammers work for them.

The pragmatic thing to do in a situation like this, is change your password. Don't go asking some random form on the internet if you have to do it, just go and do it. Deride that all you want.

[Red Iron Crown]

Security through obscurity it may be, but here's the thing, I'm not doing the spammers work for them.

The pragmatic thing to do in a situation like this, is change your password. Don't go asking some random form on the internet if you have to do it, just go and do it. Deride that all you want.

Not deriding, sorry if it came off as such. I agree, the sensible thing to do it to change passwords.

[Kinglet]

I also fell for the isleaked.com scam. Thanks, red iron crown. You could have warned us about the shadiness. Plus, the IP of the site was registered 2 days before the mail "leak".

[montyben101]

I also fell for the isleaked.com scam. Thanks, red iron crown. You could have warned us about the shadiness. Plus, the IP of the site was registered 2 days before the mail "leak".

Err what do you mean?

[AngusJimiKeith]

Err what do you mean?

Some believe that the isleaked website is actually the guy/guys who leaked the addresses in the first place, or at least knew about the leak before it went public, since the site was registered before the gmail leak. A really quick fact check discounts that, because the site was created to check emails affected by earlier leaks of Russian-only email services. They then translated the site and added gmail support when that leak hit.

Of course, that doesn't eliminate the chance that the website is a scam. Considering that the list of leaked emails (stripped of passwords) is available as a big text file, it's trivial to just download and search that file instead. Or just change your password anyway.

[Red Iron Crown]

I also fell for the isleaked.com scam. Thanks, red iron crown. You could have warned us about the shadiness. Plus, the IP of the site was registered 2 days before the mail "leak".

I was unaware of any shadiness, not even sure if it is shady now. Sorry if you feel I misled you somehow.

[pxi]

Not deriding, sorry if it came off as such. I agree, the sensible thing to do it to change passwords.

Heh, nobody's mortally wounded here. I also should point out that I quoted you intending to reference the subject of the website in question. However, it really does look like I was addressing my subsequent comments to you in particular, which honestly was not the case. I really should have been more clear in my first post. So likewise, apologies for that.