NEW YORK (MainStreet) — Nearly 5 million Google user names and passwords were posted on a Russian Bitcoin forum this week. Though the passwords have since been removed, the information could have been public long enough to allow hackers access to Gmail and other services using a Google login.
Other email systems have also suffered public user data leaks on Russian Internet services, though some of the data has been reported as outdated.
Google is not admitting a recent hack, and reports are claiming that the posted login information had been gathered over years, from phishing exploits. The security issue will most likely impact users who have retained the same password for extended periods of time – and those who use the same login information on multiple systems.
Several media outlets that reported the leak directed readers to isleaked.com, a purported email breach verification system. Blogger James Watt claims the site may in fact be a “honey pot” – a hacker trap to gather personal login information from unknowing users.
“All of the news articles are telling people to go to isleaked.com to check their addresses," Watt wrote on his blog. "However, I don’t think any of the media has vetted this website and could possibly be sending millions of people to a website run by people harvesting email addresses for spam or other hacking activities. It’s even possible that isleaked.com is run by the very people who leaked the passwords in the first place. Why do I think this? Because isleaked.com was registered on the 8th, 2 days before the story broke anywhere else.”
Rather than trust an online tool to determine if your account information was posted in the Russian leak or not, you can simply try to login to your Google account as usual. If your account was on the list, Google will redirect your login to a password reset system in order for you to regain access to your account.
With ongoing concerns from frequent private data hacks, security experts are advising consumers abide by these precautions:
1. Never use a password on multiple sites
2. Use complicated passwords. Security expert Bruce Schneier recommends converting a memorable phrase into a password: “This little piggy went to market" might become "tlpWENT2m" or “Long time ago in a galaxy not far away at all” becomes “Ltime@go-inag~faaa!”
3. Use two-factor authentication. Google offers two-step verification, as do many other services. It’s simpler than it sounds: You enter a regular password as usual, and then a verification code will be sent by text, voice call or via a mobile app. If you use the same computer, you’ll only have to do this once. You or anyone else using another computer and trying to access your account will have to enter another verification code.
--Written by Hal M. Bundrick for MainStreet