In his post, tvskit claimed that at least 60 percent of the passwords were still valid.
The following day, however, Google published a blog post stating that less than 2 percent of the username and password combinations would have worked for Gmail, and that even in those cases, Google Security would have likely blocked malicious login attempts.
The company added that the leaked user names and passwords were not the result of a breach of Google’s systems. “Often, these credentials are obtained through a combination of other sources,” Google stated. “For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others. Or attackers can use malware or phishing schemes to capture login credentials.”
Google has reset the passwords for all affected accounts, and advises all users to leverage a strong password unique to Google, update their recovery options, and consider implementing two-step verification.
Malwarebytes Labs malware intelligence analyst Christopher Boyd said by email that Google’s advice regarding account security is worth following whenever possible. “Many service providers deploy automated hijack detection systems, but these aren’t foolproof and we need to do everything we can to ensure we’re working with these systems and not against them,” he said. “Knowing the telltale signs of a phishing page and locking down our accounts as best we can is a good place to start.”
And Ryan Wilk, director of customer success at NuData Security, said password reuse is a significant concern. “Although there are reports that some of the leaked Google credentials are multiple years old, there is still a great threat to user account security — how many people are actually changing their password on a regular basis, and [on] how many other sites does a compromised user use the same password? This makes the Google breach a significant threat to users’ account security online,” he said.
Dr. Mike Lloyd, CTO of RedSeal Networks, said the breach serves as a useful reminder of the benefits of segmentation. “We are continuously being reminded these days that when we take the easy path — using the same password everywhere we go, for example — then the bad guys will respond to that, because we’ve also made it easy for them,” he said. “Attackers go for easy targets, because it works.”
“The strongly recommended habit of using different passwords on different sites is the best protection in this instance, and is a more general reminder of the need to keep separate things separate,” Lloyd added. “This lesson ranges from password management for individuals, all the way to network segmentation of the infrastructure we all rely on. Segmentation is essential. If we object to the inconvenience, then bad guys will align their attacks to match our laziness.”
eSecurity Planet recently examined three tools for enforcing password policies, from cloud-based single sign-on tools to enterprise password management solutions — and in an earlier article, eSecurity Planet looked at the five best password management solutions available at the time.