Skip to main content

Millions of Gmail accounts said to be impacted by data breach

A Russian hacker is apparently claiming to have obtained hundreds of millions of login credentials for various email services. While the single-largest set of data appears to have come from Mail.ru, details from millions of Gmail, Microsoft, and Yahoo accounts are said to be part of the breach.

The data breach was uncovered by Hold Security, according to Reuters:

After eliminating duplicates, Holden said, the cache contained nearly 57 million Mail.ru accounts - a big chunk of the 64 million monthly active email users Mail.ru said it had at the end of last year. It also included tens of millions of credentials for the world's three big email providers, Gmail, Microsoft and Yahoo, plus hundreds of thousands of accounts at German and Chinese email providers.

In total, it appears that 40 million Yahoo Mail credentials were compromised, along with 33 million Microsoft accounts, and almost 24 million from Gmail. Thousands of these accounts are said to belong to employees of major U.S. companies.

Now might be a good time to change your password, and perhaps enable two-step authentication for your accounts.

More: How to set up Google two-step verification

126 Comments
  • Time to change password
  • Thanks for running this article. And the helpful link too. I changed my password and did second security layer.
  • If you don't use TFA, then you're going to be SOL!
  • TFA- the force awakens, yeah!!! N5x on Fi Network here
  • If that entails getting awkward acting and implausible force attunement progression, that worries me.
  • Is TFA suppose to be TSA?
  • TFA is two factor authentication. Posted via the Samsung Galaxy Note 3
  • Quite obviously this is idiots sharing passwords across multiple sites. Anyone dumb enough to do that, they don't know what TFA is
  • That's not true. I do both things depending on the specific account.
  • When I was flashing a Helio over to MetroPCS some years ago, I discovered a webpage that displayed the unencrypted passwords of anyone who's phone used the same service. Literally, refreshing the page would give you 10-20 accounts and passwords... I'm guessing this is a similar type situation
  • to lazy to spell two factor authentication, i get sick of this crap, like i can't even read anymore
  • Any details on how these accounts were hacked? by hacking into MS, Google etc servers or by spamming/phishing users ?
  • It said Mail.ru Posted via Techmology
  • Dumps from compromised services that were checked against these services for duplicate user/password combos, according the folks talking about it on some infosec IRC and dark forums.
  • This is like the most casually clandestine comment ever.
  • So not a new breach, but rather somebody taking previously compromised credentials and testing them against other services to find reused passwords? If so, there's no risk as long as your Gmail password is unique.
  • Phew it is. I don't share my Google account password with any other account or website. I must have missed that part in the article.
  • You didn't miss anything, this article is nothing more than embarrassingly bad click bait, and the reason they have earned 6 months of ad blocking from me
  • That's disappointing. I expect that sort of thing from Cnet but not AC.
  • In today's world, expect this from AC, CNET, Engadget, Phandroid, Android Police and what not.. They all have click bait type of headlines ...
  • Money talks. Posted with my LG G4 6.0 via the Android Central App
  • So, if I don't use my gmail password for anything else, I'm fine?
  • Oh my god no..someone from Russia tried to log into my Facebook at 4am today! Shi* I'm actually really worried now..
  • Are you re-using your passwords across different sites?
  • yeah there's probably like over 50 accounts how am i supposed to remember the password? sometimes its different variations of the same thing but i change it up for really important things but still yeah
  • A great tool to answer the problem of forgetting passwords is a password manager. In addition to that, since I don't have to keep passwords in my head, it enables me the freedom to generate very strong passwords for services like my bank (i.e., long strings of random characters).
  • try using lastpass
  • U can use Norton's Identity Safe Password Manager along with countless other free password keepers
  • To make it easy for your self, try to use the service name followed by a string that you can remember your phone number or any thing like for example
    "gmailhellome12345"
    "outlookhellome12345"
    This for sure not mine but to show it to you
    Easy to remember yet still different . Posted via the Android Central App
  • Except if any of those passwords are compromised, the pattern is incredibly easy to figure out. You might as well drop the beginning part and just use the same password for all the good it does for you. The only way that works is if you develop some type of nickname for each service, but even then it's more vulnerable than using a few strong passwords or a password manager.
  • That's very clever, why haven't I seen this before?
  • KeePass is another great and free password manager/vault. Been using it for years on various OS.
  • I read online a useful strategy for managing passwords across sites. Take the first and last letters of the website/app/service and put them on the ends of your password. iMore would be "iPassworde". Your passwords are then all the same but all different.
  • More like millions passwords phished from people or from other dumps... I highly doubt that gmail (or any of the other services) were actually hacked. Linked article mentioned them being sold for a single dollar. If these were a legit hack it'd be worth way more...
  • That's my first thought. Hacking Google's Gmail servers wouldn't be something some script kiddy phisher could accomplish. Seems more plausible Mail.Ru's games accounts were compromised and that some Gmail accounts used as logins were obtained. No Gmail passwords though.
  • They might want to lead with that next time.
  • I recently changed all of my passwords ... Posted from my Nexus 6.
  • Good for you man, good for youuu
  • I too changed my passwords recently, it is wise to change up your passwords every 6 months or at least every year
  • This is so interesting. I almost installed the Mail.Ru app over the weekend. Time to change passwords...hurray for LastPass!
  • Unless you know Russian your account has been locked out. I don't remember what my registration info was either. Posted via the Android Central App
  • I have not changed my password in 2 years I guess I will now change it and have to log into every thing again and I also have to change my Microsoft email account password too Posted from my Moto X 2nd gen and my Nexus 9 both on Android Marshmallow
  • K.
  • How was the hack orchestrated that's the key for me and if you don't use TFA you should do so now. Posted via the Android Central App
  • What is TFA?
  • Two Factor Authentication
  • Two Factor Authentication
  • Two Factor Authentication
  • Two Factor Authentication
  • I'd say Two Factor Authentication but looks like that has been covered. :)
  • Two Factor Authentication
  • Trans Female Agender #TeamFrosty Nexus 6P
  • This answer is hip, lol.
  • Dito Posted via the Android Central App
  • Ditto Posted via the Android Central App
  • Continuum Transfunctioner Posted via the Android Central App
  • It sounds like they haven't hacked into gmail, but may have harvested gmail passwords from mail.ru accounts. Is that correct? If that's the case, then if you haven't used mail.ru your Gmail account shouldn't be compromised.
  • Sounds like that but I highly doubt that 24 million Gmail users also have mail.ru accounts with the same user name & password.
  • It's very unlikely that passwords are stored unencrypted by these three companies though, so a direct hack shouldn't yield the passwords...they must have come from an insecure source.
  • According to Jerry's Comment above "Dumps from compromised services that were checked against these services for duplicate user/password combos, according the folks talking about it on some infosec IRC and dark forum" To me this sounds like you are vulnerable if:
    1) You used mail.ru AND
    2) Your username and password on mail.ru were the same on another service.
  • +1
    That's the way I understood it too
  • No official statement from any of the companies? I assume that means they were somehow phished rather than actually obtained by hacking into the companies? Thankfully I don't reuse passwords but I think I'll hold off changing mine for now until I get a little more info.
  • I tried the two step authentication and it was a pain to set up after having to rebuild my phone.
  • is it that hard to scan the code from web after a format?? its not the easiest but it literally takes 1 min to setup after a format
  • That's not the issue. If your phone with the authentication thingy on it becomes inoperable, unless you have a backup method it's going to be very difficult to move it to another device Blackberry Priv
    Nvidia Shield "Portable"
    Sony Xperia Z3 Tablet Compact
  • Google makes that pretty easy, thankfully. I have a printed set of backup codes stored somewhere where I can easily reach it in case my phone is borked.
  • Just use Authy Posted via the Android Central app on my Nexus 5X with Project Fi
  • Nevermind
  • It might be a pain for the set up but it is worth it.
  • Use Authy. Then your authentication accounts are cloud-backed up (but encrypted by your password), and accessible via the Chrome app on computer. Made it super easy.
  • Damn!!! Panic mode!
  • Only if you have a Russian gmail account Posted via my LGG4 using the Android Central App
  • If you have TFA set up with Gmail, still necessary to change PW? Just curious...
  • May not be necessary, but it wouldn't hurt. As someone who uses TFA myself, I also use a password manager, so changing passwords is a no brainier. Posted via the Android Central App
  • Stuff like this makes me glad since all the annoyance from doing 2 factor has paid off
  • Only 1 in 200 username/password combos (0.45%) are new (i.e. not disclosed in a previous breach report). Essentially, this is just largely a compilation of previously disclosed information. Sounds like more hype from Hold Security than anything truly alarming.
  • Now is the time i wonder if hold security sells any malware product that will of course save the day in this global crisis..... call me a cynic..
  • is there a way to see if my email is on the list?
  • Just change your password.
  • Yep. I got 2FA requests today (text and calls). Time to change passwords!
  • Whoa! You mean you received requests but not to aid you to login in? (I mean 3rd party other than yourself was trying to login to your account, then 2-step auth came in to play and sent you codes to login, then you learned someone was trying to login?)
    If so, thank goodness for TFA!
    did exactly what supposed to :-D happy I have it enabled
  • Yep. Freaked me out. Got a text with my Google code. Was confused. Then a few minutes later, got a call. Voicemail was the automated "here is your code" from Google. I called my wife and asked her if she was trying to get into my Google account and she said no. Within the hour I changed my password to a ridiculously complicated one. Pretty scary actually. Had it not have been for 2FA, my Google account would have been toast. My email is pretty basic (I actually bought a gmail invite on eBay before it was available to the public a very long time ago lol) so I'm surprised it took this long for someone to try and steal. I get a ton of misdirected email as well. That's always fun, being on a huge work chain that has nothing to do with me. And someone out there thinks I'm a soccer mom. Always getting stuff about mom meetups about kids sports lol.
  • Yeah, I think my heart would race! Freaky indeed! Good thing you picked up on it.
    *thumbs up*
  • TFA and a password manager to ensure that you don't use the same passwords across multiple sites... Makes sleeping at night much easier. It's not as difficult as some would like to believe. I actually prefer it. Long gone are the days of having to actually remember passwords. Cut/Paste, and once in a blue moon reestablish TFA when you reser your router if you don't have static ip's setup. If ever you have to reset your password, it's easy peasy. Posted via the Android Central App
  • I use TFA and have different passwords for every account, and don't use a password manager... I use an algorithm to produce a unique password for each site. I start with a nonsense sentence, and use the first letter from each word, and mix case. Previous sentence would produce iSwAnSaUtFlFeWaMc. Then look at something like the first and last, or middle letter, first two letters, etc of the site for the new account. say "al" for "androidcentral." Then make a play on then number of letters in the site (14 in this case), and multiply it by something (to get 42). Now pick a way to combine these into a password: al42iSwAnSaUtFlFeWaMc. For sites that require it, add punctuation in the same place. And so on until you have enough random crap in there to make it secure, but the pattern is easily remembered. So, now I would just use iSwAnSaUtFlFeWaMc as a base, prepend site name length times 3, and prepend first and last letter of the site. Now my wife and I automatically know every password we use. The Google password would be ge18iSwAnSaUtFlFeWaMc. Facebook would be fk24iSwAnSaUtFlFeWaMc.
  • I applaud you for your diligence. Impressive really. But dayum... At some point don't you ever think "Maybe I'm putting too much into this?" Granted your method would be uncannily difficult to see a pattern, but it's a pattern nonetheless (granted nobody in their right mind would even consider it). I'd sooner let another tool that work for me. Not criticising... but that's a lot of work. And I don't know how conducive it is to regularly changing passwords.  
  • Yes, but how do you remember your nonsense phrase on which all of this is based? I can't even remember my fake security answers. :S
  • Looks like it might be time to go off the grid. We hear all these promises of how these services are safe and secure then stuff like this happens. Dam It Feels Good To Be A Google Gangster
  • Where did you go Ace?
  • I've been around. I spend a lot of time on Google+ doing the Android thing. Dam It Feels Good To Be A Google Gangster
  • The resolution hasn't changed, don't use the same, simple password for your logins and you won't be susceptible to this "hack."
  • I already have TFA so I'm good. Hopefully this 'hack' isn't as bad as claimed, but better to be safe than sorry. Posted via the Android Central App
  • I'd be willing to bet that at least 80% of the compromised accounts are probably professional spammers who use the same login credentials across the internet. Good luck filtering through those.The rest being idiots who visit shady sites and/or are too dumb and reuse passwords. Posted via the Android Central App
  • I was long due for a password change so nows as good a time as any Posted via the Android Central App
  • If you use the 2 factor authentication, what happens if you lose or your phone gets wrecked? I looked into using it awhile ago, but I don't have a different number for use. Posted via the Android Central App
  • You can have an email sent, among other options...
  • Each service is a little different, but most will provide either a single or multiple recovery codes that you can print and store in a safe place as a backup if you lose the phone or cannot operate it for some reason. Google at the least also offers several layers of backups including voice calls or sms to authorized numbers, FIDO U2F keyfob support, and 8 single-use backup codes.
  • For gmail you can print off recovery codes. I keep one in my wallet with nothing else on it.
  • Sorry, I'm old and don't know what mail.ru is. Is that an app? If I haven't used mail.ru, am I safe?
  • That's just the Russian ending version of Gmail. Some emails are .com others are using country endings (like Russia .ru, Canada .ca, etc) Posted via the Android Central App
  • Never had a Mail.ru account but today my Facebook account got blocked after a suspicious login attempt from Istanbul, Turkey and I am in Brazil. I already changed my FB password, now I guess it's time to change Google and Microsoft ones too.
  • I used TFA for quite a while already, so I should be largely okay. Still, probably a good time to change my password.
  • I just use an extremely secure password one of my PW managers auto generated. TFA has been EXTREMELY cumbersome for me so I don't really use it, even the new one... This phone has the AC App.
  • I use TFA on all my accounts for this very reason. Posted via the Android Central app on my Nexus 5X with Project Fi
  • This just solidifies my reasoning why I pay for email through Thexyz webmail these days.
  • TSA is a pain in the butt to me this morning. I just changed my passwords and enabled Two-Step-Authentication, but only am using ONE recovery number. Google sent me multiple codes, but now NONE of them work because I CAN'T log into ANY of my email addresses! THIS IS a BUG for GOOGLE. They need to stop disabling the very newest code and keep it registered indefinitely. Another reason TSA is bad. I can't use the Account Recovery page either because I CAN'T get a NEW code sent to me.
  • I use one password phrase with my SSN. :p in random order. For other sites like this I just use a basic password. posted from that app.. Moto x
  • I'm safe. Nobody ever guesses P@55w0rd. Ever.
  • I really expected more from Android Central then the scare tactic everyone else is using. All the headlines make it sound like these services were hacked. Yes the story clears it up a bit if you read it all, but i expected AC to help bring a rational thinking to this mess. What really happened is layman's terms, is other sites got breached and the password and email you used for those sites was exposed. So yes, if you use the same password for IAMANIDIOT.com and your gmail, then yes you may be effected. If you use different passwords or 2 Factor Auth then you have little to nothing to worry about. You don't just make all your locks the same as the lock for your front door sop you only have to carry 1 key. If you all take anything from this it should be to at very least stop using your easy to remember password for no name sites, but really just use a password manager like lastpass and have different random passwords for all yours sites.
  • I got an email last week from Amazon indicating that an email I use was on a leaked list but that there was no issue specifically with my Amazon account. They forced me to reset my account password just in case I might have used the same password as listed email it makes sense to me now. Posted via the Android Central App
  • Go ahead and read all my spam mail
  • More like go ahead and log into all things google. Your photos, email, calendar, contacts, youtube account, music account, google keep, location history, all of it. It's pretty scary how much personal data is tied to your gmail password. I'm happy you are not worried about it, but you really should be. It's literally yourlife.txt if you use Android.
  • Just thought i'd add to the convo, knowledge is power and all. Wired posted a pretty decent article, released today, on Locking down your online security. https://www.wired.com/2016/05/password-tips-experts/ It's defiantly worth a read. It sheds some light on habits people form thinking they're keeping data safe but in reality have little to no impact and some of the practices that should be done when setting up/changing passwords. Cheers everyone.
  • I use 2 step authentication but there is typically no difference between Gmail log in credentials and one's Google Account log in credentials. Sigh. Time to change my password....again.
  • Two Step Verification ..
  • This is exactly why I don't use any other mail service except for Gmail to log into my account. Because your Gmail password goes across so many of your Google services (if you use them). I find it crazy to get a 3rd party email app, no matter how nice it is, and give it your credentials because it may not be as secure as using the source itself. I sure wouldn't use my Gmail password on another account either, that's just dumb. The tip is not included! So tip your Uber driver.
  • As for Microsoft and Gmail, I highly doubt you have anything to worry about unless you get notified by them. Because both of them detect even the slightest difference in location or browsers, etc., to know that its not you. They make it so the person has to confirm that its really you. I have experienced this with both Microsoft and Gmail... going to another state trying to view my email, it can be a real pain.
  • Only the device owners can create,edit,and delete restricted profile.
  • So, mail.ru is hacked and then they try those names and passwords on Gmail and yahoo?
  • I've been using 2FA since 2013, so I'm golden.
  • No reason not to be using TFA. Use that and this kind of stuff does not matter.
  • Time to unsubscribe from from AC. The article resembles a hoax...evasive comments from AC. Further down the thread somebody mentioned "Clickbait" which confirmed my suspicions.
  • In what way is it clickbait, or resembling a hoax? Is the story true? Check. Is the headline sensationalist? Nope.  It's not like the article was full of misleading information and carried the headline "ZOMG! GMAIL was h4x0r3d! Russia  invades!!!"   
  • what to look at mine go ahead, somebody has to be an outright stupid freak to get off looking at other peoples email, maybe it is a good idea to just use a small service provider email acct that nobody cares about
  • Only the device owner's can create,edit,and belate restricted profile.
  • Don't re-use passwords, especially not your e-mail password. If using Chrome use this add-in from Google that will warn you if you type in your Google password anywhere else.
    https://chrome.google.com/webstore/detail/password-alert/noondiphcddnnab... Then start using a password manager like Lastpass, combine it with a two-factor authentication method like a YubiKey and you should be relative safe. It works with your Android phone also to fill in your random password in apps, awesome.