ifg 發表於 2014-9-11 10:55:16

5 million Gmail addresses and passwords dumped online

Lucian Constantin
Sep 10, 2014 9:11 AM, PC World

An archive containing nearly 5 million Gmail addresses and plain text passwords was posted Tuesday on an online forum, but the data is old and likely sourced from multiple data breaches according to one security firm.

A user with the online alias “tvskit” posted the archive file on a Bitcoin security forum called btcsec.com and claimed that over 60 percent of credentials found inside are valid.

“We can’t confirm that it is indeed as much as 60 percent, but a great amount of the leaked data is legitimate,” said Peter Kruse, the chief technology officer of CSIS Security Group, a Danish security company that provides cybercrime intelligence to financial institutions and law enforcement.

CSIS researchers analyzed the data and concluded that it is up to 3 years old based on correlations with past leaks.

“We believe the data doesn’t originate from Google directly,” Kruse said via email. “Instead it’s likely it comes from various sources that have been compromised.”

This means that many of the leaked passwords do not correspond to Gmail or Google accounts, but to accounts on other sites where users have used their Gmail addresses as the user name.

CSIS has confirmation that at least five of the leaked user name and password pairs were never used as log-in credentials for Gmail or Google accounts. This enforces the idea that the data comes from compromises outside Google, though it’s possible that they were all perpetrated by a single individual or group, Kruse said.

“The security of our users is of paramount importance to us,” a Google representative said Wednesday via email. “We have no evidence that our systems have been compromised, but whenever we become aware that an account has been compromised, we take steps to help our users secure their accounts.”

Even if many of the leaked credentials turn out not to be from Google, affected users might still want to change their passwords on websites where they used their Gmail address as the user name. A website called isleaked.com allows users to check if their email address is among those leaked.

ifg 發表於 2014-9-11 11:14:49

By Patrick Howell O'Neill   on September 10, 2014

Nearly 5 million usernames and passwords appear to have been published on a Russian Bitcoin forum.
Much of the information is old and potentially out-of-date, Google representatives told Russian media, so the so-called “leak” may be more accurately described as a collection of phished and hacked credentials collected over years. In fact, many of the accounts have long been suspended or are matched with very old passwords.
The database of usernames and passwords, which was first reported by CNews, was posted on Tuesday evening to btcsec.com, a Russian-language Bitcoin security forum. The publisher, named tvskit, posted the following screenshot of the database, claiming that over 60 percent of the passwords were valid and working:http://cdn0.dailydot.com/originals/svyCoIx.jpg

The file contains information on English-, Russian-, and Spanish-speaking users of Google services, such as Gmail and Google Plus. In addition to Google, the leak includes thousands of user credentials for Yandex, the largest search engine in Russia.
Google and Yandex representatives told CNews that while the credentials were stolen through years of phishing and hacking against individuals, their own systems were never compromised.
To protect yourself, change your password and enabletwo-factor authenticationon Google and all your important Internet accounts.
Russia’s Bitcoin Security forum has been the scene of several major leaks over the past several days. On Tuesday, 4.66 million Mail.ru accounts were exposed. Monday, usernames and passwords from 1.26 million other Yandex accounts were published in a text file.
If you want to find out if your account is included in the leak, you can head to https://isleaked.com/en.php and input your address.H/T Russia Today | Illustration by Jason Reed

頁: [1]
查看完整版本: 5 million Gmail addresses and passwords dumped online