A database of nearly five million usernames and passwords for Google accounts has been leaked on a Russian forum, but Google claims it is more likely the result of phishing attacks than a breach on its systems.
The database originally appeared on a Bitcoin-related forum earlier this week, with its uploader claiming around 60 per cent of the 4.9 million username and password combinations were valid. In its own analysis, Google has claimed that the figure far from accurate. '
We found that less than two per cent of the username and password combinations might have worked,
' the company has claimed in a statement
on the leak, 'and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords.
Google wasn't alone in being targeted by the uploader: databases of 4.7 million Mail.ru and 1.3 million Yandex accounts, both claimed to be of equally low quality by the respective companies, were also posted on the same forum. All companies involved have the same advice: users concerned should change their passwords, including on other sites where the same username and/or password is used, while those on Google should activate the company's two-factor authentication system
to provide additional protection against account hijacking.
Google's claim that the giant database was the result of information gathered by phishing attacks over a long period is believable, industry experts have claimed. 'While it does seem likely that the logins have been rolled up from older phishing campaigns,
' Chris Boyd of security firm Malwarebytes told us in an emailed statement, 'it is a timely reminder to ensure everybody is using strong, unique passwords for all of their web services and making use of two factor authentication whenever possible.