[2014-09-11] 5 Million Gmail Usernames, Passwords Hacked And Posted To Russian B

[cescan]

http://www.ibtimes.com/5-million-gmail-usernames-passwords-hacked-posted-russian-bitcoin-forum-report-1684368

Hackers appear to have dumped nearly 5 million Gmail usernames and passwords to a Russian bitcoin forum. Word first spread of the still-unconfirmed hack when a user posted a link to the log-in credentials in a security-centric corner of Reddit frequented by hackers, professional and aspiring.

The database (which International Business Times will not link to) contains 4.93 million Google accounts belonging to English-, Russian- and Spanish-speaking users. Posts on the Russian-language bitcoin security forum asserted that more than 60 percent of the identities in question were still in use and could be accessed immediately, reported RIA Novosti, a Russian media outlet.

[1714775622]

1714775622

[1714775622]

1714775622

[1714775622]

1714775622

[Somekindabitcoin]

Lemme make sure none of my emails are in there

[Kluge]

Interestingly, they didn't even try accessing them all prior to it being publicly dumped. Reading around, agreement seems to be that the passwords lifted are from another site and isn't really even a Gmail-related hack as we'd normally think of it, but a hack of another site which decided to only publish users with an account tied to Gmail. Wife's account was in there, but the password listed is a reuse password for unimportant junk sites.

Glad I have 2FA all the same.

[Amitabh S]

Lemme make sure none of my emails are in there

where is the database.. even I need to check.

[Kluge]

Lemme make sure none of my emails are in there

where is the database.. even I need to check.

https://isleaked.com/en

[Kakmakr]

I only use online accounts for [spam] stuff. I rather like Thunderbird mobile on USB. [Your email content stays offline and you can take it, where you want]

When your account are hacked, they do not have access to the content. ^laugh^

[bryant.coleman]

Even if the password is hacked, they won't be able to steal the data from gmail accounts. That is because, Gmail asks for additional verification if a log-in is attempted from an IP which is unfamiliar with that particular account. (that is not the case with other mail providers, such as GMX). However, if the hacker is having additional verification details (such as the DOB), then it can get risky. 

[aigeezer]

Lemme make sure none of my emails are in there

where is the database.. even I need to check.

https://isleaked.com/en

Be careful:

"All of the news articles are telling people to go to isleaked.com to check their addresses. However, I don’t think any of the media has vetted this website and could possibly be sending millions of people to a website run by people harvesting email addresses (for spam or other hacking activities.) It’s even possible that isleaked.com is run by the very people who leaked the passwords in the first place. Why do I think this? Because isleaked.com was registered on the 8th, 2 days before the story broke anywhere else."

http://jameswatt.me/2014/09/10/isleaked-com-registered-2-days-before-gmail-leak-public/

Murky situation, I think.
 

[hacknoid]

Lemme make sure none of my emails are in there

where is the database.. even I need to check.

https://isleaked.com/en

Be careful:

"All of the news articles are telling people to go to isleaked.com to check their addresses. However, I don’t think any of the media has vetted this website and could possibly be sending millions of people to a website run by people harvesting email addresses (for spam or other hacking activities.) It’s even possible that isleaked.com is run by the very people who leaked the passwords in the first place. Why do I think this? Because isleaked.com was registered on the 8th, 2 days before the story broke anywhere else."

http://jameswatt.me/2014/09/10/isleaked-com-registered-2-days-before-gmail-leak-public/

Murky situation, I think.
 

Indeed....  (from http://cointelegraph.com/news/112494/nearly-5m-gmail-credentials-leaked-on-russian-bitcoin-security-forum):

Gmail users are advised to avoid entering their username and password into any website claiming to check whether their credentials have been compromised. This method known as the 'honeypot' aims to steal even more identities, and many websites have already started distributing phishing messages. Russian website isleaked.com claims to help people checking if their accounts have been compromised and is already being accused of being run by the very people who leaked the database as its domain name was registered on September 8.

If you are checking for your name in a leaked database, why on earth would you also enter your password?  You can see if your name is there through a legit "service".  Any service that proposes to check whether your password is indeed the one in the database should not be trusted!!

(IOW, avoid isleaked.com!)

[Kluge]

Lemme make sure none of my emails are in there

where is the database.. even I need to check.

https://isleaked.com/en

Be careful:

"All of the news articles are telling people to go to isleaked.com to check their addresses. However, I don’t think any of the media has vetted this website and could possibly be sending millions of people to a website run by people harvesting email addresses (for spam or other hacking activities.) It’s even possible that isleaked.com is run by the very people who leaked the passwords in the first place. Why do I think this? Because isleaked.com was registered on the 8th, 2 days before the story broke anywhere else."

http://jameswatt.me/2014/09/10/isleaked-com-registered-2-days-before-gmail-leak-public/

Murky situation, I think.
 

Indeed....  (from http://cointelegraph.com/news/112494/nearly-5m-gmail-credentials-leaked-on-russian-bitcoin-security-forum):

Gmail users are advised to avoid entering their username and password into any website claiming to check whether their credentials have been compromised. This method known as the 'honeypot' aims to steal even more identities, and many websites have already started distributing phishing messages. Russian website isleaked.com claims to help people checking if their accounts have been compromised and is already being accused of being run by the very people who leaked the database as its domain name was registered on September 8.

If you are checking for your name in a leaked database, why on earth would you also enter your password?  You can see if your name is there through a legit "service".  Any service that proposes to check whether your password is indeed the one in the database should not be trusted!!

(IOW, avoid isleaked.com!)

o.O Isleaked provides the first two characters of the password which was leaked. It doesn't ask for a password.