Details are emerging of a very recent large-scale leak of Google’s account database, centring around their flagship email service Gmail. Google’s official word on the subject can be read here.
The credentials were posted to a Russian BitCoin mining forum earlier this week. It is understood that the list of compromised accounts has been in circulation since at least September 8th, the exact date of the compromise is thought to be around this time but not precisely known.
Current estimates indicate that around 5 million Gmail credentials are involved in the current leak, although what proportion of them are currently active is unclear; Google themselves are estimating only 2% of the leaked credentials are current credentials. What is clear is that at least some users of Gmail will need to look into changing their passwords as soon as possible, and there is currently no way of knowing which credentials are ‘live’ and which are not.
What can I do?
OxCERT currently advise all users of Google services, including Android Market Services and Chromecast devices, to review their passwords and to take this opportunity to update them. Regular password updates are always good practice, and this recent incident is sound motivation to apply a new and strong password to your Google accounts.
Users concerned about their Gmail security can visit a webpage run by Microsoft-employed security tester Troy Hunt, which (securely) checks your email address against this recent and many other data breaches against major service providers in recent years. The colourfully-titled ‘Have I Been Pwned?‘ can be accessed from this link or by clicking the image below. This service checks your email address against the list of compromised accounts, and can indicate if you are at greater risk. Users are advised that this list is not perfectly accurate.
A very important concern is that for the sake of convenience, many users like to use the same passwords for many different services, for example Facebook, Gmail, and University email.
If you have used your current Gmail password for you University SSO credentials also, OxCERT would strongly advise you to update your University credentials to a unique password as soon as possible.
Sharing passwords across accounts is generally ill-advised, and this incident highlights how easily a breach of a third party could potentially lead to a further compromise of your University email account and any other systems with which a user is entrusted access.