Did Google Lose Five Million Gmail Passwords To Hackers? Depends Who You Believe

Stephen Lam/Getty Images News/Getty Images

Here we go again. Time to think of a new combination of pet names/childhood crushes/meaningful numbers, because your Gmail password could've been compromised. Nearly five million Gmail passwords were leaked to a Russian Bitcoin site on Tuesday — but before you panic, Google has assured us that the threat may not be as serious as it sounds.

On Tuesday evening, a person with the username "tvskit" published a list of names on Russian Bitcoin security forum btcsec.com, alleging that over 60 percent of the information was current and valid. The list includes English, Russian, and Spanish subscribers to Google services like Gmail and Google Plus. The file also contained information on users of search engine Yandex, Russia's equivalent to Google.

Sounds alarming, right? But not so fast. After investigating into the matter, Google representatives are claiming that many of the usernames and passwords on the list are outdated. Meanwhile, a Google spokesperson told Mashable that there was "no evidence that our systems have been compromised."

According to security experts, the passwords don't even seem to come directly from Gmail accounts. It's possible that they were gathered from websites where the user entered their Gmail address to register, but chose a different password for the process. Rather than a leak, the file looks like it was compiled after years of phishing and hacking.

So what's phishing, again? Phishing is when a hacker or scammer poses as a legitimate website and asks you for your personal information in an attempt to then steal it. For example, you get an email from Amazon saying your personal information needs to be updated.

The email includes a link that takes you to an Amazon page where you're asked to enter your username and password. Once you do so, the scammer will have your login info and be able to access your personal information, which was updated all along.

In order to avoid falling into this trap, here's what to look out for if you receive one of these "update your information" emails:

  • If the domain name ends with the website name, it's most likely legit (www.123.amazon.com is OK)
  • If the domain name ends with something else, then it might be a phisher (www.amazon.update-info.com is NOT legit)
  • If the URL contains an IP address, it is almost certainly a phisher

Want to know if your information is on the list? You can check with this easy tool. If you don't feel safe entering your data in yet another strange site, The Mary Sue reached out to isleaked.com and they suggested that you substitute a few asterisks in your email address if you don't want to enter the whole thing. The email-checking site also reassured that they weren't collecting email addresses.

But the safest bet would be to just change your password. Always combine lowercase and uppercase letters, numbers, special characters, and long, hard-to-guess words. And for the last time — don't reuse the same password in more than one place!

Images: marketingfacts.nl, Getty Images (3)