

5M Gmail passwords leaked to Russian Bitcoin forum - gokhan
http://www.dailydot.com/crime/google-gmail-5-million-passwords-leaked/

======
freehunter
Definitely not Gmail passwords, or at least not passwords leaked from Google
themselves. I have an account on there that I only use for spam and signing up
for sites that require an email address, but it lists a junk password that has
never been used with that account on Google itself. It's been used with that
email address on many sites, but not Google.

It seems this list is either curated to only include Gmail address scraped
from some other site or they tried combining an email and a passwords list
together.

~~~
jacquesm
The problem with such lists is that plenty of people will use the same
password they used on website 'x' with their gmail account. So don't be
surprised if a whole pile of these actually will work with the listed gmail
address.

~~~
pyre
Right, but there is a least a chance that the email:password combos are wrong,
even if the email is valid.

------
afreak
[https://canary.pw/view/?item=13221ab1721254808546bd068b6cd47...](https://canary.pw/view/?item=13221ab1721254808546bd068b6cd475)

[https://canary.pw/view/?item=1bc5b34811b50f3fbce06cb55088372...](https://canary.pw/view/?item=1bc5b34811b50f3fbce06cb550883727)

[https://canary.pw/view/?item=87ecceaf19b0187e901e15c5bc8f8a9...](https://canary.pw/view/?item=87ecceaf19b0187e901e15c5bc8f8a9d)

Canary is still chewing through the dataset I fed it and figuring out where
they all relate (if at all), but so far it seems that some of the data is as
old as January 2014. This is likely not from Gmail itself but perhaps a
collection of other leaks.

~~~
afreak
[https://pay.reddit.com/r/netsec/comments/2fz13q/5_millions_o...](https://pay.reddit.com/r/netsec/comments/2fz13q/5_millions_of_gmail_passwords_leaked_rus_most/cke79db)

A good backgrounder too.

~~~
_puk
Interestingly I have one hit for my gmail on isleaked.

Looking at that link I see freebiejeebies, which if I check in keepass I
created an account for in 2008 with a unique password (as I tended to back
then, even for throwaways).

Sure enough the first two characters match that reported by isleaked (Though
case doesn't match..)

Having gone through the majority of the other entries in keepass, that is the
only password starting with the two reported characters.

So can safely say freebiejeebies was compromised at some point.

Now to work out why I'd have an account on there in the first place ;)

------
marksamman
[https://news.ycombinator.com/item?id=8295102](https://news.ycombinator.com/item?id=8295102)

~~~
r721
Flagged out of front page though.

~~~
pmalynin
Huh, I wonder why. Because it seems my submission is being penalized for being
submitted hours before it hit the general media.

~~~
r721
There are a few reasons:

[http://www.righto.com/2013/11/how-hacker-news-ranking-
really...](http://www.righto.com/2013/11/how-hacker-news-ranking-really-
works.html)

I think it's the relation between upvotes/comments and also maybe many were
upvoting from the submission page (which triggers vote ring detection or
something, read about that somewhere)

------
aroch
One of my throwaway gmail's is in the leak, the password matches the password
I gave at devicescape.com

------
smmnyc
The account I found on this list was captured in the adobe.com breach
([http://blogs.adobe.com/conversations/2013/10/important-
custo...](http://blogs.adobe.com/conversations/2013/10/important-customer-
security-announcement.html))

------
philliescurt
i found an address i use but the password they have listed has not been valid
for over two years

------
autism_hurts
Anybody have the raw data?

~~~
r721
Look at dead comments in other submission.

------
heliumcraft
wouldn't the passwords be hashed? or are these passwords captured through
other means like trojans?

~~~
UberB
According to the article, they never managed to hack into Google's database.
This just looks like a large accumulation of user info from phishing.

