5 Million Google Passwords Leaked
Account names and passwords for 5 million Gmail accounts were leaked to Russian forums. A 50MB zip file containing the account names and clear-text passwords has appeared on various sites. Google released a statement that plays down (but does not eliminate) the potential danger. The statement says the users on the list have already been notified to change their passwords, and that "only around 2%" of the name/password combinations were still working.
Google says the leaks are not due to any security breach within Gmail but were obtained from other sources. The exact meaning of this disclaimer is not clear, but it is possible that readers were enticed to give up their Gmail passwords through a trojan or phishing scheme. Other passwords might have been obtained by attacks on third party sites that (for whatever reason) stored the user's Gmail password or, possibly, had a password that exactly matched the Gmail password.
One question that Google did not address (and probably doesn't know) is whether other password lists exist today that are still undiscovered. The best advice for avoiding ending up on such a list is the same as always for password hacks: According to Google, "Make sure you're using a strong password unique to Google. Update your recovery options so we can reach you by phone or email if you get locked out of your account. And consider 2-step verification, which adds an extra layer of security to your account." Google's press release points to a website where users can go to update contact and security information.