There's no need to panic about the nearly five million compromised Gmail passwords that appeared in a Russian Bitcoin security forum this week, according to Google.
Fewer than 2% of the compromised username and password combinations work, Google's spam and abuse team said in a blog post late yesterday. They also say Gmail's automated anti-hijacking systems would block many potential login attempts.
"We've protected the affected accounts and have required those users to reset their passwords," team members wrote in the blog post. "One of the unfortunate realities of the Internet today is a phenomenon known in security circles as "credential dumps" -- the posting of lists of usernames and passwords on the Web. We're always monitoring for these dumps so we can respond quickly to protect our users."
Gmail is Google's free, cloud-based email service that is integrated with Google Docs.
Google responded this week to reports that hackers had gained access to the credentials of five million Gmail users. User name and password combinations appeared on Russian cybercrime forums.
Peter Kruse, head of the eCrime unit at CSIS Security Group in Copenhagen, said Wednesday that most of the nearly five million stolen Gmail passwords are about three years old, though many are still legitimate and functioning.
He said CSIS experts suspect several hackers worked together, possibly using an endpoint compromise.
Google was quick to note that its systems had not been hacked.
"It's important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems," Google's spam and abuse team wrote. "Often, these credentials are obtained through a combination of other sources."
John Shier, a senior security advisor with U.K.-based security company, Sophos, said some Gmail users have reported that their usernames and passwords were part of the dump, lending credence to claim that these are legitimate Gmail credentials. He, too, doubts followed a hack into Google's systems.
Instead, the compromise likely stems from people being lax in their use of unique, strong passwords.
"Let's say, you want to create a new account on Reddit," he explained. "It will ask you for a user name and very often that user name is your email address. And then you use the same password. Very often people use their Gmail address as their user name for a variety of different sites -- just to identify themselves."
Google's team has the same theory.
"If you reuse the same username and password across Websites, and one of those Websites gets hacked, your credentials could be used to log into the others," they noted. "Or attackers can use malware or phishing schemes to capture login credentials."
Shier pointed out that if hackers get usernames and passwords that people use on multiple sites, they could gain access to various aspects of a user's life. "If you use the same password for Facebook and your banking account, that could just lead to trouble," he said. "They could lock you out of your own account or they could steal your identity."
What should Gmail users do now?
Security experts generally agree that this would be a good time for users to change Gmail passwords and to use strong passwords (that means upper and lower case letters, numbers and punctuation marks). And don't use the same passwords for every Website and application. Two-step authentication, if it's an option, also adds an extra layer of security.
Google also advised people to update their recovery options so the company can reach them by phone or email if they're locked out of their accounts. Gmail users can go to this page for a list of Google's security controls.
"Don't panic," said Shier. "If you change your passwords and make sure your passwords are complex and you don't reuse them, you should be in good shape."