Gmail addresses, website passwords leaked online

A list of almost five million Gmail addresses andpasswords culled from various websites was posted on a Russianonline forum Tuesday.

Mashable and other technology news websites reportedthat the leaked passwords are not necessarily those used to accessGmail accounts but seem to have been compiled from other websites, including some where Gmail addresses were used to register.

• 7 ways to make passwords stronger
• Password hack nets 2 million Facebook, Twitter users

Several internet security experts who examined the leaked list, which was posted as a text file to theRussian online forum BitcoinSecurity, reported on Twitter that the passwords appear to be several years old.

Danish cybercrime specialist Peter Kruseof the CSISSecurityGrouptweeted that the leak "likely originates from various sources" and that most of the leaked passwords are more than threeyears old.

We've protected the affected accounts and have required those users to reset their passwords.- Google Online Security Blog

Google, which operates the Gmail email service, said in a post on its OnlineSecurity Blog that less than two per cent of the username and password combinations posted online "might have worked."

"Ourautomated anti-hijacking systemswould have blocked many of those login attempts."the post said.

"We've protected the affected accounts and have required those users to reset their passwords."

Google said the leak was one of several so-calledcredential dumps the posting of lists of usernames and passwords online that the company spotted this week.

The leak was first publicized in Russian online forums and media, including the popular technology website CNews, early Wednesday and then on aReddit discussion forum.

Not asecurity breach, says Google

The leak does not appear to have been the result of a Gmailsecurity vulnerability, and not all of the leaked email addresses were Gmail addresses although the bulk were.

"It's important to note that in this case and in others, the leakedusernamesand passwords were not the result of a breach of Google systems," Google said in its blog post. "Often, these credentials are obtained through a combination of other sources. For instance, if you reuse the sameusernameand password across websites, and one of those websites gets hacked, your credentials could be used to log into the others. Or attackers can usemalwareorphishingschemes to capturelogincredentials."

Software specialist Troy Hunttweeted that about 123,000 of the approximately4.78million leakedaddresses were part of the Russian email serviceYandex. Addresses from the Russian-based service Mail.ru also appeared on the list.

Yandex and Mail.ru were hit by a separatehack earlier in the week that leaked millions of user addresses, the Russian news network RT reported.

Hunt runs the websiteHave I been pwned? which allows user to verify whether their data has been compromised through a breachand was in the process of importing the leaked list Wednesday afternoon in orderto make the datasearchable.

Those worried about the leak can also use the Russian siteIs Leaked?to verify whether their Gmailaddresses areon the list.

Several security experts said Tuesday's leak was areminder to internet users to use a two-step verification system when signing into Google services, change passwords frequently and not use the same password across websites and services.

The technology website The Daily Dot reported that Google and Yandex told CNews that the leak was likely the result of years of phishing and hacking efforts butthat those did not compromisethe companies'databases.