Apparently millions of Gmail password were leaked today.
According to the International Business Times, over 5 million Gmail usernames and passwords were purportedly leaked this morning. Most of the leaked accounts are active but the leak was mainly endemic to Russian users. Google is currently investigating the veracity of the claims.
The fiasco started when someone by the name of mstrokin posted a link on Reddit to a Bitcoin Security forum (which appears to be offline at the moment) which published a database containing about 4.93 million Google accounts.
In light of the news (even if it’s just a rumor) there are at least four actions you need to take to secure your account:
- Scan the leaked database for your account
- Change your Gmail password
- Check your Google Account activity
- Sign out all other sessions
1. Scan the database for your account
The 100MB text file (36.3 MB compressed) is colossal and therefore takes a while to open. After double-clicking google_5000000.txt it took me 8 solid minutes before Notepad became responsive again.
Once the file loads press Ctrl + f and enter your Google account to see if its in the list.
I’ve noticed a preponderance of “is my account leaked?” websites popping up in light of the news but I question their authenticity. How do I know these sites aren’t collecting my Gmail account for some illicit purpose? This is part of the reason why I suggest downloading the text file and searching for your email address.
Note: the text file doesn’t list passwords or hashes just gmail accounts that were allegedly hacked.
Regardless of whether or not your account is on the list, I still think it’s prudent to change your Gmail password.
2. Change your Gmail password
Remember your Gmail password is the key to not only Gmail but also all Google properties. So if someone stole your Gmail password he or she would have access to your Google Drive and Google+ accounts too.
To change your Google password, go to your Google Security dashboard and click the Change Password link in the left pane.
After entering your old password, create a new strong password. This simple action annuls your old password and keeps the bad guys out.
I would also suggest enabling two-factor authentication. I’ve been using it for months and love the extra peace of mind. Two-factor authentication means even if you gave someone your Google password they still couldn’t access it without your cell phone.
In other words, you need two things for access: your password and something you have such as a cell phone. You should read more about two factor authentication on Google’s website.
3. Check your Google account activity
There is more as a sanity check than anything else but it’s good to know.
Open your Google account activity and pay attention to the activity list in the left pane.
There should be no surprises here.
The account history shows not only the date your account was accessed but also:
- Whether it was from a PC or mobile phone and
- The approximate location based on the IP address.
4. Sign out superfluous sessions
The last thing you should do is sign out all Google sessions. If you forgot to signout of Gmail from another computer such as a PC in the library, hotel lobby, or airport lounge, you can kill those sessions with a single click.
Go to your Gmail account and in the bottom right corner of the browser click the little link called Details. You might have to scroll all the way down to see it.
Scroll through the list for a few moments to observe your recent activity and then click Sign out all other sessions to kill any extant connections to your Google account.
The Bottom Line
Given the news orbiting the Gmail breach I think the intelligent thing to do is four fold:
Scan the leaked database for your account. Then, even if your account isn’t in the list, you should change your password, look at your Google activity and nuke any open sessions to your account.
I hope this helps you stay safe. Oh and as always, feel free to share your thoughts in the comments below.
I’ve just learned that Google responded to the leak with a post on the same day. You should read its official response here: http://googleonlinesecurity.blogspot.com.es/2014/09/cleaning-up-after-password-dumps.html