About 5 million Gmail usernames and passwords have been published on a Russian bitcoin security forum as a text file.
Sixty percent of the 4.93 million credentials in the file were valid, claimed the poster, who used the online handle “tvskit.”
The information was dumped on several Russian cybercrime forums and shared through a variety of peer-to-peer services, warned Peter Kruse, chief technology officer of CSIS Security Group, according to reports.
A website that appeared online Wednesday, isleaked.com, purportedly lets people check whether their email information is included in the file.
The site, which was registered Wednesday to one Egor Buslanov, is tied to a street address and phone number in Paris, France.
Buslanov did not respond to TechNewsWorld’s request for comment.
Google Jumps on the Case
Google issued a stock statement about security of its users being paramount, adding that it had no evidence that its systems were compromised.
“I wouldn’t be surprised to hear that the accounts were breached using some sort of phishing attack targeting Google users,” Christopher Martincavage, senior sales engineer at SilverSky, told TechNewsWorld.
It’s not likely that Google’s servers were breached, given the small size of the database, remarked Philip Lieberman, president of Lieberman Software. “This may have been the result of a data breach from an Android application vendor’s systems.”
Google reportedly has sent notifications to the owners of the email addresses listed in the data dump, a move Martincavage applauded.
A Perfect Storm
This latest breach comes just one day after reports that the Kelihos botnet is targeting iCloud in a bid to steal users’ Apple IDs.
It follows a series of data breaches at other organizations and companies.
“The fact that Target, Home Depot and iCloud have all acknowledged a security breach to some degree recently, and now there’s a report about Gmail, truly creates the perfect storm for consumers to feel that no matter what they do, they just aren’t safe,” remarked Kyle Kennedy, CTO of Stealthbits Technologies.
“When a Gmail or other account such as Facebook or AppleID are linked to multiple services, an account compromise means all related services are compromised for that account,” Lieberman told TechNewsWorld.
People who use apps on their smartphones should realize that their accounts may have been compromised as a result of the breach, he said.
The Service Provider’s Responsibility
Ease of use for consumers based on service utilization historically has been the focus of cloud service providers, Stealthbits’ Kennedy told TechNewsWorld.
However, they should shift their attention from service utilization to service security, he recommended.
“Every cloud provider should offer knowledge-based authentication, 2FA, one-time password usage, and so forth — and move away from the constant passwords they maintain and store within a database that becomes the focus, the desire, the passion, the single driving goal of thousands upon thousands of hackers,” Kennedy maintained.
Consumers “need to rise up and stop the perfect storm from recurring, and demand that their cloud providers, by default, incorporate security technology that’s readily available today,” he urged.
What Users Can Do
Consumers should use throwaway Gmail accounts for one-time purchases and for apps that might be infected, Lieberman recommended.
They also should use multiple email accounts for different purposes, and draw up plans to recover from a compromised account, he said.
Security experts recommend users take advantage of the two-factor authentication (2FA) offered by Google and other service providers.
“Google’s type of 2FA would help their users who are at risk,” Authentify Vice President John Zurawski told TechNewsWorld. “The username and password alone are not enough to access a Gmail account that has 2FA turned on.”
Sure, it’s inconvenient, he acknowledged, but “now that Jennifer Lawrence, Kate Upton and others have become the poster children for hacked cloud storage, more users are beginning to understand that a little more inconvenience … may be [better than] the alternative.”
So much of this pain could be avoided if people would simply practice better "password hygiene." We all know what we’re supposed to do, but when it was just one-in-a-million being victimized we could afford to be lazy. Not any more. Read here for tips on how to create better passwords: http://bit.ly/1rpVkSv