
Alleged leak of more than 5M Gmail accounts - pmalynin
https://isleaked.com/en.php
======
sinak
Now is a good time to enable two-factor authentication on your accounts. Here
is how to do so for some common services:

\- Google:
[https://www.google.com/landing/2step/](https://www.google.com/landing/2step/)

\- Github:
[https://github.com/settings/security](https://github.com/settings/security)

\- AWS:
[http://aws.amazon.com/mfa/virtual_mfa_applications](http://aws.amazon.com/mfa/virtual_mfa_applications)

\- Facebook:
[https://www.facebook.com/settings?tab=security](https://www.facebook.com/settings?tab=security)

\- Twitter:
[https://twitter.com/settings/security](https://twitter.com/settings/security)

\- Dropbox:
[https://www.dropbox.com/account/security](https://www.dropbox.com/account/security)

\- Lastpass: [http://helpdesk.lastpass.com/security-options/google-
authent...](http://helpdesk.lastpass.com/security-options/google-
authenticator/)

\- More: [https://twofactorauth.org/](https://twofactorauth.org/)

~~~
unknownBits
With two-factor authentication you are happily providing gmail with your phone
number. They say they need this to send you a verification code when you log
into your gmail account. Then they say:

"During sign-in, you can tell us not to ask for a code again on that
particular computer."

Well, if that's the trick, they don't need your phone nr at all, they can do
ip and os check anyways..

~~~
ak217
I'm not sure exactly what point you're trying to make, but you seem confused
about how 2FA works.

The goal of 2FA/MFA is to make you demonstrate that you're in possession of
two independent secrets (authentication factors). Once you've shown that, it's
considered safe enough to replace the second secret (OTP sent to your phone or
generated by your TOTP app like Google Authenticator) with a cookie (the check
is not IP-based). Typically the cookie only lasts for 30 or 60 days.

If what you're concerned about is the idea that Google knows your phone
number, you can use Google Authenticator or another TOTP app instead.

~~~
probably_wrong
> If what you're concerned about is the idea that Google knows your phone
> number, you can use Google Authenticator or another TOTP app instead.

I'm under the impression that you need to provide Google your phone number
before being allowed to enable TOTP.

~~~
miohtama
TOTP algorithm is open, has RFC. Check Google Authenticator Wikipedia page for
OSS clients.

I guess phone number is needed for the secure reset. In the case you lose the
device this would render your account inaccessible.

~~~
probably_wrong
I do have an OSS client, but the very first step to enable Gmail's 2FA is to
give your phone number.

I agree that there are good reasons for asking that, but the comment above
apparently raises a good point, namely, that you apparently cannot enable 2FA
without giving Google your phone number.

------
tonymon
Links to zip archive with plain email list (without passwords):

[https://mega.co.nz/#!ewU1wCKA!P52rdL5tMcugRxi8ALyZlGnfE_KSB4...](https://mega.co.nz/#!ewU1wCKA!P52rdL5tMcugRxi8ALyZlGnfE_KSB4pERGIJjsPsyCQ)

Alternative: [http://rghost.net/57937836](http://rghost.net/57937836)

The thing is that this site mentions other site where in comments section you
can find links to 7zip archive with emails

~~~
unicornporn
OK, my address was in there. I've changed my password. But, how do I know if
they actually had my correct password? Shit this is scary...

~~~
important
Assuming hacker did sign in into your Gmail , you might be able to get that
information from the list of last logins in your Gmail account. Any IP that's
out of your normal location would reveal that. More in this link
[https://support.google.com/mail/answer/45938?hl=en](https://support.google.com/mail/answer/45938?hl=en)

~~~
unicornporn
Yeah, this is an account that only forwards emails, so I almost never log in.
However, when I changed my password now I logged in and out a bunch of times.
This made this very short list of recently logged locations only contain one
line that was not from today. Hmm. Would be better if they showed 50 recent
logins or something...

------
bagels
Every time something like this is posted, where there is a site to check if
your email address is in some leaked list, I really wish they'd just tell me
how to get the list itself. Instead, they ask me to trust that they will not
use my email address, and I have to hope that they won't leak it.

I generally don't bother, because it's just more security risks.

~~~
joeblau
Exactly. just show me the list and let me do a command+f. I'm not trying to
enter my email into their system.

~~~
durrrrrrr
Are you being serious? Next time you search google, would you rather they
display 5,000,000 results on one page and you Ctrl+F the response?

~~~
polarix
If the local client could handle it, this would be a _much_ more secure way of
browsing.

~~~
mlatu
i sure hope you are beeing sarcastic, if not, consider this: it is possible to
use javascript to override ctrl+f or other keystrokes. if that site would have
displayed the list, and someone used ctrl+f on it, they could have simply used
such a technique to add your input to the list to generate positive findings
on the fly.

[http://arstechnica.com/security/2012/12/how-script-
kiddies-c...](http://arstechnica.com/security/2012/12/how-script-kiddies-can-
hijack-your-browser-to-steal-your-password/)

------
Sommer717
Weird, it gives me a very old password.

Though back when I had that password my account _was_ hacked. I'd wager this
is just Gmail address+password combos collected from other leaks (read: not
from Google). Really this just seems to be an attempt at sensationalizing.

~~~
caractacus
Me too. It gives the first two letters of a pw that I have used in the past
but as far as I'm aware, not on that account. This raises all kinds of
questions...

Edit: it does the same on a much older account that I rarely use, too. Not the
current password but the first two letters of what is likely a much older pw.

------
gotothrowaway
For me, it has a password I don't ever recall using with gmail. If I have, I
don't think it's been in the past few years.

That said, it's my throwaway password I use on services I'm not particularly
worried about. I fear that this isn't a gmail leak but instead a different
service.

~~~
chippy
but matched up with your email... and many people don't have throwaways

------
marksamman
If you search for the character '+' in the list of e-mails you can get an idea
where the mails leaked from. It seems to me like this is a collection of
databases scraped from different sources as others have suggested.

For Gmail users, it's a good practice to register to websites using
username+websitename@gmail.com (e.g. mark.samman+hackernews@gmail.com), that
way you'll know who leaked your data when it appears in lists like this or
when you get spam. Gmail ignores the plus character and anything that follows
the plus. You can also add dots at arbitrary positions in the username part.

~~~
unbelievr
Going with your suggestion, the amount of DBs must be huge. The most prominent
additions after the + sign (ignoring just single numbers) are:

\- Bioware (54)

\- Bravenet (19)

\- Bryce/daz3d/daz (244)

\- Eharmony (64)

\- Filedropper/fd/etc. (113)

\- Freebie/Freebiejeebies (64)

\- Friendster (65)

\- Hon (42)

\- Policeauctions (28)

\- Savage/Savage2 (116)

\- Xtube/porn (200ish)

------
tectonic
It's suggesting a password that I do use on some sites, but never have on
Gmail. I think this is a scraped database from somewhere else...

~~~
zwischenzug
Same for me.

------
Intermernet
I can tell from the first 2 characters that the leaked password associated
with my email address was scraped from Pizza Hut Australia's online ordering
system (they only recently implemented SSL on the login page).

It's interesting that I setup a particular password for that service when I
noticed it didn't use SSL. Make's me wonder how many databases this comes
from. It certainly isn't Google's.

~~~
junto
Out of interest, do you know from your data as to when your Pizza Hut
Australia account could have been compromised? Was it a plus addressing
yourname+pizzhut@yourdomain.com type email address?

Would be interested to know more about this. I'm @junto on Twitter if you
don't mind contacting me. It would be appreciated.

~~~
Intermernet
Hi, No I assume that the breach happened in the last 3 years, and before they
implemented SSL. I have noticed that
[http://www.pizzahut.com.au/members/login](http://www.pizzahut.com.au/members/login)
is still a valid page, inaccessible via SSL, but haven't checked if logging in
on that page actually works.

I noticed that they've also implemented a password reset email, instead of
their previous practice of just emailing you the password. Hopefully this
means that they are no longer keeping unhashed passwords on the system.

It seems that they realised they weren't doing things correctly in the last 6
months (maybe a bit longer, not 100% sure) and have taken steps to rectify
this. This _may_ be due to a discovered security breach, but may just be a
change in their internal IT policy. Hopefully they're now following best
practices!

------
onestone
It isn't the actual Gmail passwords that are leaked. One of my accounts is
there, but the password is one I have used on other sites, never on the actual
Gmail account.

~~~
ndr
Can you disclose which site?

~~~
onestone
Can't be sure, it's a "garbage sites" password which I've used too many times
on untrusted sites. Any one of those sites could have been hacked, or had been
a phishing gateway itself.

Of course what I did was bad practice. One should store passwords in a secure
password manager, and use a different (preferably 30+ chars) password on each
site.

~~~
dredmorbius
My present "garbage site" practice is to pop open a session to mailinator.com
to a randomly generated box name.

Mailinator will give an alternate address that's a hash of the first, so that
the address itself cannot be used to check. See below.

I'll create a set of long passwords (20-30 characters) with pwgen. Those are
input as name, email, and password fields (different for each). If I need to
verify an email, I can.

I don't record the values, they're throwaway.

If the site rejects 'mailinator.com', there are other domains provided as
alternates.

Example: inache8baezo0aowahph@mailinator.com is also

    
    
        m8r-ds4te4@mailinator.com
        inache8baezo0aowahph@mailinator.com
        inache8baezo0aowahph@mailtothis.com
    

(or m8r-ds4te4 at the other domains)

The 'm8r' address can't be used to check for mail.

Note, obviously, that anyone with the actual mailbox hash can check it. For
example:
[http://mailinator.com/inbox.jsp?to=facebook](http://mailinator.com/inbox.jsp?to=facebook)

Oh, there's even an RSS mailbox subscription, neat:
[http://www.mailinator.com/feed?to=](http://www.mailinator.com/feed?to=)

------
NaNaN
A summary about phishing:

    
    
        1. Found you password with the same email address somewhere
         and ask if you still use that email address on another site.
        2. And get your IP, then login through proxy to bypass the security checking.
        3. Still, to know which email address is in use.
    

If you just worry, change you password right now without using their service.
:P It may be good that every a few months some guys remind you to change
passwords.

~~~
broolstoryco
Exactly what proxy would allow to appear to be using my IP address?

~~~
netrus
For many security checks, a proxy in the same country would be sufficient.
They might only check if you log in from Asia and America at the same time.

------
Fede_V
I just checked using a bunch of throwaway email accounts I had to sign up for
various promotions. One of them was leaked - and one of them had a very old
password associated with it.

I now use KeePass2 to manage all my passwords - so the old password has
absolutely nothing to do with the new one. This makes me think that they
simply tried to use some other hacked site, and checked to see whether the
same pwd was recycled for gmail.

------
nmjohn
The full list was leaked, my email was on it but I've never used that password
for an email account in my life. It's my throwaway "I don't trust this
website" password. I use it for a reason!

------
ecma
On August 20 an address of mine was entered and my Origin account was
subsequently compromised. Looks like this leak matches the creds that account
had before I reacted. Happily enough it was a low equity account, I had 2FA
and nothing else seems to have been grabbed.

Edit: to clarify, I had 2FA on an account which alerted me to the Gmail
compromise. I obviously messed up with that email account.

------
curiousDog
It says mine is in it but suggests the wrong password. I don't think I even
had a password with those letters plus I've had 2FA for a while now. Wonder
how legit this is.

------
ars
I used the wildcard and mine is not in it.

So I don't think this is a hack of google itself, but rather just collecting
addresses from elsewhere and collecting the gmail ones.

------
hotmilo23
Tried it with mine and it said yes but had the password wrong. It didn't match
a password I've ever used...

------
cordite
The problem with 2FA for me is that I am underground for a good part of my
day, without reception.

I use google voice to get notified of calls and voicemails so I can be fairly
responsive, but obviously using another service that can be accessed in
multiple places defeats the point, especially when owned by the same people.

~~~
palebluedot
You don't need reception for 2FA; Google Authenticator and FreeOTP work fine
even in airplane mode, if you have your phone / tablet with you.

~~~
cordite
Yeah, good luck on a windows phone.

~~~
ZoFreX
Microsoft Authenticator works just fine with GMail :)

~~~
cordite
Confirmed! Though I had to go outside to get the initial pass code via SMS.

It does not seem like twitter supports this authenticator.

------
Grue3
My email is on there, but the password is not the one I'm currently using.
Though I wonder which site or sites I've been using this password on. Has
anyone figured it out? I'm going to crosscheck with my saved passwords list in
Firefox when I get home.

------
vocket
I tried it and it gave me a year old password. I am guessing they only got a
hold of old passwords.

------
hmottestad
My Gmail was hacked a few years ago. This database showed the first two
letters of the password I had at the time.

I had (stupidly) been using the same password on other sites, so after I was
hacked i made a new password just for gmail.

Now I also have two factor authentication :)

------
Sarkie
It has a password for another site but not gmail.

Not sure which, but it isn't gmail.

------
x3sphere
The passwords seem to have come from somewhere else. My email is on the list,
but the password is wrong and actually matches the one I use for throwaway
accounts.

~~~
maxerickson
There seem to be enough people reporting this to do some correlation and
figure out what was really compromised.

------
laacz
This leak is more likely a result of phishing attacks. So, if you have been
(and still are) careful enough, your email should not be on that list.

------
j0hnskot
It says mine is leaked too. But the two first digits of my password it gives
me are not relevant with my password. What does this mean?

------
cornewut
I don't think this is leaked from Google. Probably people just were using the
same password for some other service...

------
kaoD
My account was compromised a couple months ago. Google detected a series of
logins from Poland, Lithuania and Oregon (probably botnets, which I think it
rejected) and sent me a warning.

I expected my address to be there but it wasn't. Makes me wonder.

------
myrandomcomment
So my wife's is in there but the password it gives is from over a year ago.

------
turtles
Where the passwords at? Would make a good common passwords list for security
testing.

EDIT: Not seeing the password list online, and below someone mentioned it
showed an old password for them, so thinking someone is making this up.

------
noyesno
Interesting, the password associated to a secondary Gmail account of mine
turned out to be not for Gmail login but for a Friendster.com account from
years back that used it as user ID.

------
fnayr
My older account (8+ years) was leaked but my more recent one (4+ years) was
not.

EDIT: This was good to find out because I did not have 2 factor auth on my
older account as I hardly use it anymore.

------
broolstoryco
I found my email there, but the first two letters are of a password that I
have never used with gmail (it is a disposable password i use for uniportant
sites)

------
JasuM
I was on the list and now I got a Facebook password reset code to my phone,
without asking for one. Someone already seems to be trying to use the
passwords.

------
ganessh
My email address was there but "your first two symbols" listed there was
wrong. Is that first two symbols hash of my password?

~~~
kibibu
Based on the two letters of mine, I have a feeling that it's from a BB forum
crawl or similar.

------
LilyOfTheValley
Two-factor authentication looks more appealing then ever. But first go to
www.gmailleak.com make sure your account was not compromised.

------
tapsboy
I just tried it with an old account. It correctly gave out the first two
letters of existing password

Luckily, 2FA was already enabled.

------
aquadrop
It has passwords collected from other sites, at least from heroesofnewerth.com

That's one more example against password reusing.

------
mcoliver
Interestingly enough fuck@gmail.com is an email address.....grepping the email
list txt file is ahhhmazing

------
cornewut
Quite a few of the leaked accounts also appear to be using SoundCloud. Could
this be related?

------
Vincez
Sites should stop storing plain text password

------
minusSeven
can anyone talk about how this site works and where they get the list of
leaked email address from ?

------
joshka
grep admin google_5000000.txt -c 1019

 _sigh_

------
hayksaakian
checked the plain text list against against 20 of my contacts, and nothing
matched

------
priteshjain
Site is down right now :(

------
rdjik
It's nowhere near advisable for anyone to submit their address to that box.

Notwithstanding the questionable reliability of this what is meant by
"leaked"? a trove of phished credentials does not really qualify as a "leak".

~~~
lucaspiller
I just tried it with my old Gmail account that I no longer use, and it
displayed the first two letters of my password. The password was random
letters and numbers, 16 characters, so not easily guessable. Seems legit to me
:-)

