Hacker News new | past | comments | ask | show | jobs | submit login
Alleged leak of more than 5M Gmail accounts (isleaked.com)
158 points by pmalynin on Sept 10, 2014 | hide | past | favorite | 127 comments

I would add Mitro.co, which is Open Source (http://www.marcodena.it/blog/stop-remembering-passwords/)

I don't want 2FA for absolutely everything. I want to authenticate once.

Then your laziness is important to you then your security.

It's a fair point though. At some point you're putting too much of a barrier on everything. You can have security and convenience at the same time, we just haven't done it yet.

However, I have 2FA turned on with GMail and I authenticate basically once, then it remembers my PC and I don't have to authenticate again for a long time.

It remembers the second authorization on all your devices?

On my iPhone and my desktop (at home and work).

I have ssh-agent for SSH. Can we get something similar for websites?

Actually, I was recently pointed at Joyent's node-http-signature[1], which is pretty clever. It can sign an HTTP request using one's SSH keys. Handy for a CLI client for a HTTP API.

I've done a couple of HTTP auth schemes for my dayjob and am thinking of using something like this for my next.

1. https://github.com/joyent/node-http-signature/blob/master/ht...


as long as we need to depend on javascript for crypto there will not be a secure way to do such things. im saying this because you can not safely assume the integrity of your crypto system to be intact if you have to download it with the page it's used on. thats about the same as always having to download your ssh client first from the server you are connecting to. someone could tinker with that download and give you something that uses the attacker as a proxy to connect to your server of choice and while you notice nothing, that malware would upload your private key. same thing could happen when you use some sort of crypto implemented in javascript.

lets talk about this when someone made it possible to have a website instruct the browser to make a call to a crypto library or some such

He did not say web or browser. He said nodejs. Node can call native crypto libraries, but also is not subject to the mitm issue.

Please read up on what "nodejs" is before lambasting it with an oft repeated security trope.

> He did not say web or browser. He said nodejs.

Indeed; more generally, I said CLI. TLDR of the previous link: it's an interesting general-purpose take on using ssh public/private keys (and methods) to sign and authenticate HTTP requests.

No, as sp332 says, I want something like ssh-agent for the web.

Seems like the closest we've got is OAuth with your Google/Facebook/GitHub/Twitter account.

With two-factor authentication you are happily providing gmail with your phone number. They say they need this to send you a verification code when you log into your gmail account. Then they say:

"During sign-in, you can tell us not to ask for a code again on that particular computer."

Well, if that's the trick, they don't need your phone nr at all, they can do ip and os check anyways..

If you're worried about giving Google your phone number, you should perhaps also be worried about them having access to all of your email messages.

You should be worried about both of these anyway.

I have a couple of old legacy gmail accounts I don't use any more but still keep active, so I have 2FA on them, but anything important goes to my own mail server.

Is this enough, though? Probably to prevent an attacker from stealing your account, but not to stop them from reading your emails.

Do you encrypt your emails? Do you regularly send emails to other people (who probably have Gmail accounts)?

>Probably to prevent an attacker from stealing your account, but not to stop them from reading your emails.

Since nothing important goes to them any more and I mainly keep them active to stop them getting squatted for for some highly intermittent email (3+yrs) I might have forgotten, then it doesn't matter much there. As it is, the main attacker where gmail is concerned is google itself, followed by the NSA.

As for other people with gmail accounts, yes, but I'm aware of when that happens and wouldn't email anything sensitive to any gmail(hotmail,yahoo,etc.) account.

The problem is that, as a security solution, having your own mail server and being careful about who you send emails to doesn't scale and it's not feasible in the general case. If you're worried about Google/NSA/spies as the main attackers, I'm not sure hosting your email is the best solution. Yes, it works if you never send email to anyone with Gmail, Yahoo, Hotmail, etc. But that will prevent most normal uses of email. And if you do send email to regular people, then someone, somewhere, will read your emails; that's what they are for after all. And then the privacy of your email is as good as the security measures your recipient has in place.

Same with 2FA: it's a security measure to make it difficult for an attacker to gain access to your account, and one all of us should use, but it's not there to prevent them from reading your emails.

Maybe the overall solution is "don't use email -- self-hosted or otherwise -- for anything sensitive, ever." This will probably work, but is not feasible for most of us.

I'm not sure exactly what point you're trying to make, but you seem confused about how 2FA works.

The goal of 2FA/MFA is to make you demonstrate that you're in possession of two independent secrets (authentication factors). Once you've shown that, it's considered safe enough to replace the second secret (OTP sent to your phone or generated by your TOTP app like Google Authenticator) with a cookie (the check is not IP-based). Typically the cookie only lasts for 30 or 60 days.

If what you're concerned about is the idea that Google knows your phone number, you can use Google Authenticator or another TOTP app instead.

> If what you're concerned about is the idea that Google knows your phone number, you can use Google Authenticator or another TOTP app instead.

I'm under the impression that you need to provide Google your phone number before being allowed to enable TOTP.

TOTP algorithm is open, has RFC. Check Google Authenticator Wikipedia page for OSS clients.

I guess phone number is needed for the secure reset. In the case you lose the device this would render your account inaccessible.

I do have an OSS client, but the very first step to enable Gmail's 2FA is to give your phone number.

I agree that there are good reasons for asking that, but the comment above apparently raises a good point, namely, that you apparently cannot enable 2FA without giving Google your phone number.

Ip or cookie, still don't see the need for giving your phone number. In case of a crack, the cracker knows your private phone number too, for what?

My gmail(and aws and dropbox and digital ocean and github and zoho and ...) TFA uses a TOTP app, not my phone number. (and works just fine on my iPad - which doesn't really have a phone number - at least not one I know or worry about...)

Also, according to the three biggest telcos where I live:

"SMS is not designed to be a secure communications channel and should not be used by banks for electronic funds transfer authentication," ( http://www.itnews.com.au/News/322194,telcos-declare-sms-unsa... )

> Well, if that's the trick, they don't need your phone nr at all, they can do ip and os check anyways.

Although that wouldn't be 2FA, it's worth noting that Facebook, Hotmail and Flickr will ask for some extra verification if you connect from a different country that usual. So that's probably not a bad idea.

Google do as well - they block logins that they determine to be suspicious, and a separate country seems to be a big factor in that decision.

> With two-factor authentication you are happily providing gmail with your phone number.

Which I also provide to Google because all of my phone numbers are forwarding numbers for my GVoice account, so that's not a big deal.

> They say they need this to send you a verification code when you log into your gmail account.


> Well, if that's the trick, they don't need your phone nr at all, they can do ip and os check anyways..

How can they determine its valid without the second factor the first time you log on from a particular device? That's a key feature of 2FA (plus, if you ever use a shared computer, you don't want to choose the option to never ask for a code again on that computer!)

This is much better: https://play.google.com/store/apps/details?id=org.fedorahost...

Open source fork of the (now closed source) Google Authenticator.

Nice! Thanks for sharing!

Links to zip archive with plain email list (without passwords):


Alternative: http://rghost.net/57937836

The thing is that this site mentions other site where in comments section you can find links to 7zip archive with emails

Interestingly, there are a large number of non-gmail.com addresses in there, including 123k yandex.ru addresses, plus a (very) small number of yahoo.com and hotmail.com addresses. Here's the output of "cut -d@ -f2 | sort | uniq -c | sort -nr":


The data hasn't been very well edited from whatever dump it came from. For example, there are lines that end in "gmail.com_xtube", "gmail.com7777", "gmail.com|login", etc, which are curious.

OK, my address was in there. I've changed my password. But, how do I know if they actually had my correct password? Shit this is scary...

Assuming hacker did sign in into your Gmail , you might be able to get that information from the list of last logins in your Gmail account. Any IP that's out of your normal location would reveal that. More in this link https://support.google.com/mail/answer/45938?hl=en

Yeah, this is an account that only forwards emails, so I almost never log in. However, when I changed my password now I logged in and out a bunch of times. This made this very short list of recently logged locations only contain one line that was not from today. Hmm. Would be better if they showed 50 recent logins or something...

The webpage will give you the first two letters of your password.

The webpage gave the correct first two letters of my password...but that was changed more than a year and half ago, so this leak must be VERY old. I have been using last pass for the past time and when I got it I immediately changed my google password. This is the reason why I'm saying is that old.

I bet there are some people who have other leaked account & password lists, and since the isleaked.com site is kind enough to give the first two characters of the password for any given email account, it'd probably be possible to guess the passwords for some of those accounts.

Am I blind? I only see if there is a match, no password initial letters at all ???

EDIT: Not blind, it just doesn't show the initial letters if you search using a wildcard even if there is only 1 match.

Thanks! Checking that list against my gmail contacts, I found six of my friends in there!

Did the same, found one.

Every time something like this is posted, where there is a site to check if your email address is in some leaked list, I really wish they'd just tell me how to get the list itself. Instead, they ask me to trust that they will not use my email address, and I have to hope that they won't leak it.

I generally don't bother, because it's just more security risks.

It could be even more dangerous than you are imagining.

If you check a username, then you would probably also be revealing the IP address range and browser referrer that is normally used to access your account.

Google uses IP address and location to help detect illegal access. So giving away this information could make it easier for your account to be stolen.

How? Is the hacker going to buy a plane ticket, fly to my home and plug his laptop into my network?

Of course not. He's going to go botnet shopping and try to log in through a compromised machine with an IP address in the same town, in the same address range.

He might even be able to use the same IP as you, if you happen to be using a gateway with many machines behind it, and one of them is compromised.

"If you don't like to specify your full email address for any reason, you can replace up to 3 characters with asterisk sign (e.g., for myaccount@gmail.com enter myac*nt@gmail.com), thus we'll show you a count of matches for this pattern. We respect your privacy."

Only up to 3 characters? Why 3? Especially since it's an email address and not a random string, which limits the possibilities for the 3 missing characters. This looks like it's giving more info than you'd think to a dodgy website...

maybe because they want to limit the search time?

Exactly. just show me the list and let me do a command+f. I'm not trying to enter my email into their system.

Are you being serious? Next time you search google, would you rather they display 5,000,000 results on one page and you Ctrl+F the response?

Wget and grep would be more likely to be used - but in answer to your question: yes, in a case like this.

Let's do some quick back-of-the-envelope math. 5M addresses, with very few longer than 25 characters. Let's say the average is around 17 characters. 17 * 5 * 10^6 = 35 * 10 ^7 = 3.5 * 10^8 bytes, or 350MB. Text generally compresses to 1/8 space with zlib, so the amount to transfer would be about 44MB, at most. Serving the list as xz compressed file could probably cut the size down to below 40MB.

In the age of 100MB youtube videos, that doesn't sound like much to me.

If the local client could handle it, this would be a much more secure way of browsing.

i sure hope you are beeing sarcastic, if not, consider this: it is possible to use javascript to override ctrl+f or other keystrokes. if that site would have displayed the list, and someone used ctrl+f on it, they could have simply used such a technique to add your input to the list to generate positive findings on the fly.


you should reconsider this, because it is possible to use javascript to override ctrl+f or other keystrokes. if that site would have displayed the list, and someone used ctrl+f on it, they could have simply used such a technique to add your input to the list to generate positive findings on the fly.


To avoid this, I made this script to check if my email addresses are in a leak list: https://github.com/rodrigorega/wordlist_compare

nice.. i'll use grep instead, thanks for the effort though

Give me your email, and I'll check for you. I won't do anything, I promise. Joking aside, I downloaded the list and my email is not listed. Phew...

I also checked a few of those near and dear to me. Should probably try my full address list...

...or that when you log on to the site, the site would tell you that your account was in the list.

Weird, it gives me a very old password.

Though back when I had that password my account was hacked. I'd wager this is just Gmail address+password combos collected from other leaks (read: not from Google). Really this just seems to be an attempt at sensationalizing.

Me too. It gives the first two letters of a pw that I have used in the past but as far as I'm aware, not on that account. This raises all kinds of questions...

Edit: it does the same on a much older account that I rarely use, too. Not the current password but the first two letters of what is likely a much older pw.

I can also verify this. One of my gmail accounts was in there, incidentally the "trash account" I use when I sign up for various services online.

And the password was one of my lowest security "trash passwords" I use with this e-mail as login sometimes if it's a service I wouldn't trust or don't care if it's compromised.

So I wouldn't worry about this. Someone had their site hacked most likely and these are logins to the site, not from Google.

For me, it has a password I don't ever recall using with gmail. If I have, I don't think it's been in the past few years.

That said, it's my throwaway password I use on services I'm not particularly worried about. I fear that this isn't a gmail leak but instead a different service.

but matched up with your email... and many people don't have throwaways

If you search for the character '+' in the list of e-mails you can get an idea where the mails leaked from. It seems to me like this is a collection of databases scraped from different sources as others have suggested.

For Gmail users, it's a good practice to register to websites using username+websitename@gmail.com (e.g. mark.samman+hackernews@gmail.com), that way you'll know who leaked your data when it appears in lists like this or when you get spam. Gmail ignores the plus character and anything that follows the plus. You can also add dots at arbitrary positions in the username part.

Going with your suggestion, the amount of DBs must be huge. The most prominent additions after the + sign (ignoring just single numbers) are:

- Bioware (54)

- Bravenet (19)

- Bryce/daz3d/daz (244)

- Eharmony (64)

- Filedropper/fd/etc. (113)

- Freebie/Freebiejeebies (64)

- Friendster (65)

- Hon (42)

- Policeauctions (28)

- Savage/Savage2 (116)

- Xtube/porn (200ish)

I have always wondered what use is this with regards to spam and sneaky address lists. What exactly prevents someone from cleaning up the addresses before letting them out?

If I were a bad behaved site and sell (sold? sorry, tired and non native speaker) my userlist, i'd probably remove all plus-suffixes from the addresses. Same as if I were a blackhat stealing them to be sold.

Honest question, no snark.

On the other hand, this will reveal to anyone you have a HN/NRA/porn account in case of a leak ;)

It's suggesting a password that I do use on some sites, but never have on Gmail. I think this is a scraped database from somewhere else...

Same for me.

I can tell from the first 2 characters that the leaked password associated with my email address was scraped from Pizza Hut Australia's online ordering system (they only recently implemented SSL on the login page).

It's interesting that I setup a particular password for that service when I noticed it didn't use SSL. Make's me wonder how many databases this comes from. It certainly isn't Google's.

Out of interest, do you know from your data as to when your Pizza Hut Australia account could have been compromised? Was it a plus addressing yourname+pizzhut@yourdomain.com type email address?

Would be interested to know more about this. I'm @junto on Twitter if you don't mind contacting me. It would be appreciated.

Hi, No I assume that the breach happened in the last 3 years, and before they implemented SSL. I have noticed that http://www.pizzahut.com.au/members/login is still a valid page, inaccessible via SSL, but haven't checked if logging in on that page actually works.

I noticed that they've also implemented a password reset email, instead of their previous practice of just emailing you the password. Hopefully this means that they are no longer keeping unhashed passwords on the system.

It seems that they realised they weren't doing things correctly in the last 6 months (maybe a bit longer, not 100% sure) and have taken steps to rectify this. This may be due to a discovered security breach, but may just be a change in their internal IT policy. Hopefully they're now following best practices!

It isn't the actual Gmail passwords that are leaked. One of my accounts is there, but the password is one I have used on other sites, never on the actual Gmail account.

Can you disclose which site?

Can't be sure, it's a "garbage sites" password which I've used too many times on untrusted sites. Any one of those sites could have been hacked, or had been a phishing gateway itself.

Of course what I did was bad practice. One should store passwords in a secure password manager, and use a different (preferably 30+ chars) password on each site.

My present "garbage site" practice is to pop open a session to mailinator.com to a randomly generated box name.

Mailinator will give an alternate address that's a hash of the first, so that the address itself cannot be used to check. See below.

I'll create a set of long passwords (20-30 characters) with pwgen. Those are input as name, email, and password fields (different for each). If I need to verify an email, I can.

I don't record the values, they're throwaway.

If the site rejects 'mailinator.com', there are other domains provided as alternates.

Example: inache8baezo0aowahph@mailinator.com is also

(or m8r-ds4te4 at the other domains)

The 'm8r' address can't be used to check for mail.

Note, obviously, that anyone with the actual mailbox hash can check it. For example: http://mailinator.com/inbox.jsp?to=facebook

Oh, there's even an RSS mailbox subscription, neat: http://www.mailinator.com/feed?to=

it has my ancient password from ~2008 for


That company went under 4-5 years ago, and I seem to remember few forum (phpbb afaik) software/database breaches at the time.

A summary about phishing:

    1. Found you password with the same email address somewhere
     and ask if you still use that email address on another site.
    2. And get your IP, then login through proxy to bypass the security checking.
    3. Still, to know which email address is in use.
If you just worry, change you password right now without using their service. :P It may be good that every a few months some guys remind you to change passwords.

Exactly what proxy would allow to appear to be using my IP address?

For many security checks, a proxy in the same country would be sufficient. They might only check if you log in from Asia and America at the same time.

I just checked using a bunch of throwaway email accounts I had to sign up for various promotions. One of them was leaked - and one of them had a very old password associated with it.

I now use KeePass2 to manage all my passwords - so the old password has absolutely nothing to do with the new one. This makes me think that they simply tried to use some other hacked site, and checked to see whether the same pwd was recycled for gmail.

The full list was leaked, my email was on it but I've never used that password for an email account in my life. It's my throwaway "I don't trust this website" password. I use it for a reason!

On August 20 an address of mine was entered and my Origin account was subsequently compromised. Looks like this leak matches the creds that account had before I reacted. Happily enough it was a low equity account, I had 2FA and nothing else seems to have been grabbed.

Edit: to clarify, I had 2FA on an account which alerted me to the Gmail compromise. I obviously messed up with that email account.

It says mine is in it but suggests the wrong password. I don't think I even had a password with those letters plus I've had 2FA for a while now. Wonder how legit this is.

I used the wildcard and mine is not in it.

So I don't think this is a hack of google itself, but rather just collecting addresses from elsewhere and collecting the gmail ones.

Tried it with mine and it said yes but had the password wrong. It didn't match a password I've ever used...

The problem with 2FA for me is that I am underground for a good part of my day, without reception.

I use google voice to get notified of calls and voicemails so I can be fairly responsive, but obviously using another service that can be accessed in multiple places defeats the point, especially when owned by the same people.

You don't need reception for 2FA; Google Authenticator and FreeOTP work fine even in airplane mode, if you have your phone / tablet with you.

Yeah, good luck on a windows phone.

If there is no existing offline OTP authenticator for Windows phone, FreeOTP is open-source. Perhaps someone will port it over: https://fedorahosted.org/freeotp/

Microsoft Authenticator works just fine with GMail :)

Confirmed! Though I had to go outside to get the initial pass code via SMS.

It does not seem like twitter supports this authenticator.

My email is on there, but the password is not the one I'm currently using. Though I wonder which site or sites I've been using this password on. Has anyone figured it out? I'm going to crosscheck with my saved passwords list in Firefox when I get home.

I tried it and it gave me a year old password. I am guessing they only got a hold of old passwords.

My Gmail was hacked a few years ago. This database showed the first two letters of the password I had at the time.

I had (stupidly) been using the same password on other sites, so after I was hacked i made a new password just for gmail.

Now I also have two factor authentication :)

It has a password for another site but not gmail.

Not sure which, but it isn't gmail.

The passwords seem to have come from somewhere else. My email is on the list, but the password is wrong and actually matches the one I use for throwaway accounts.

There seem to be enough people reporting this to do some correlation and figure out what was really compromised.

This leak is more likely a result of phishing attacks. So, if you have been (and still are) careful enough, your email should not be on that list.

It says mine is leaked too. But the two first digits of my password it gives me are not relevant with my password. What does this mean?

I don't think this is leaked from Google. Probably people just were using the same password for some other service...

My account was compromised a couple months ago. Google detected a series of logins from Poland, Lithuania and Oregon (probably botnets, which I think it rejected) and sent me a warning.

I expected my address to be there but it wasn't. Makes me wonder.

So my wife's is in there but the password it gives is from over a year ago.

Where the passwords at? Would make a good common passwords list for security testing.

EDIT: Not seeing the password list online, and below someone mentioned it showed an old password for them, so thinking someone is making this up.

Interesting, the password associated to a secondary Gmail account of mine turned out to be not for Gmail login but for a Friendster.com account from years back that used it as user ID.

My older account (8+ years) was leaked but my more recent one (4+ years) was not.

EDIT: This was good to find out because I did not have 2 factor auth on my older account as I hardly use it anymore.

I found my email there, but the first two letters are of a password that I have never used with gmail (it is a disposable password i use for uniportant sites)

I was on the list and now I got a Facebook password reset code to my phone, without asking for one. Someone already seems to be trying to use the passwords.

My email address was there but "your first two symbols" listed there was wrong. Is that first two symbols hash of my password?

Based on the two letters of mine, I have a feeling that it's from a BB forum crawl or similar.

Two-factor authentication looks more appealing then ever. But first go to www.gmailleak.com make sure your account was not compromised.

I just tried it with an old account. It correctly gave out the first two letters of existing password

Luckily, 2FA was already enabled.

It has passwords collected from other sites, at least from heroesofnewerth.com

That's one more example against password reusing.

Interestingly enough fuck@gmail.com is an email address.....grepping the email list txt file is ahhhmazing

Quite a few of the leaked accounts also appear to be using SoundCloud. Could this be related?

Sites should stop storing plain text password

can anyone talk about how this site works and where they get the list of leaked email address from ?

grep admin google_5000000.txt -c 1019


checked the plain text list against against 20 of my contacts, and nothing matched

Site is down right now :(

It's nowhere near advisable for anyone to submit their address to that box.

Notwithstanding the questionable reliability of this what is meant by "leaked"? a trove of phished credentials does not really qualify as a "leak".

I just tried it with my old Gmail account that I no longer use, and it displayed the first two letters of my password. The password was random letters and numbers, 16 characters, so not easily guessable. Seems legit to me :-)

"If you don't like to specify your full email address for any reason, you can replace up to 3 characters with asterisk sign (e.g., for myaccount@gmail.com enter myac*nt@gmail.com), thus we'll show you a count of matches for this pattern. We respect your privacy."

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact