Google responds to Gmail password leak

By Chuong H Nguyen
last updated

After it was reported that a list containing as many as 5 million usernames and passwords from Google's Gmail users was leaked online, Google is responding by saying that its servers would have blocked suspicious log-in attempts. Noting that only 2 percent of the password and username combos would work, Google says it has protected affected accounts.

"We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts," the search giant said. "We've protected the affected accounts and have required those users to reset their passwords."

Google said that if it notices anything unusual with your account, it would block sign-in attempts from devices and locations that are unfamiliar.

Still, like Apple's high profile iCloud fiasco that resulted in leaked nude images of celebrities earlier in the month, Google says that its leak is not because of a security breach and that these credentials were obtained through phishing, malware, or other means.

"It's important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems," Google emphasized. "Often, these credentials are obtained through a combination of other sources."

Are you a victim of having your password compromised? Did you change your password following this morning's news?

Source: Google

Chuong H Nguyen
Chuong H Nguyen
87 Comments
  • People need to stop clicking on every hyperlink they see on their email. ...and first. Posted via the Android Central App from my LG G3, the "Gold Standard" of Android. Nothing else matter, period. Take that richard!
  • Exactly! People aren't using common sense sadly. :/ Posted via my HTC One M8
  • I converted the last of my many Gmail accounts to two factor authentication just last week. Once I found that the Google Authenticator app could handle multiple accounts I did them all.
  • Same thing I have going.
  • Yeah, I've never had it on... but just did yesterday as a precautionary measure. My password is pretty secure, but I DO use it in other places </shamed>
  • I'm embarrassed to mention I didn't know the Authenticator app could handle multiple accounts. Thanks!!!
  • I am using Google authenticator for last pass. Will also be doing that for my gmail account. Posted via the Android Central App
  • They need to make it simpler though, like a one strep set up and a one step use like the regular process so everyone will use and set up. Not everyone understands the point and use of them, but it should be mandatory and built in, instead of being just an option, imo
  • I changed mine about a month ago after Google sent an email to my backup account saying someone in IRAQ was trying access my account. And common sense is needed, especially when Apple iPhone users convert to Android. Posted via my $10 a month Unlimited talk & text FreedomPop Galaxy S III
  • Yeah I changed mine when someone across the country was attempting to access my account, it was months ago. Posted with my Nexus 7 2012 or Moto X via the Android Central App
  • Someone in Iraq??? That is scary as hell. Are you connected to ISIS? The FBI could be watching you right now.
  • What? That's quite the escalating comment. How do you arrive at that line of questioning? Posted via Ash Williams Boom Stick!
  • When do people ever use common sense? Sadly.
  • Is it me or every time there is a problem at Apple some Android news has to come up later in the same realm? Like when some iPhone batteries were bursting into flame on a plane, it wasn't even a week or two later that some Samsung phone burst into flames. Like that happened twice, and on the Android story it was found out that they probably were messing with the battery contacts, so I'm not surprised that all of a sudden there's some weak story about passwords getting out. Phishing scams have gone on for years, people get affected by them 24 hours a day 7 days a week. It's just interesting that it somehow made the news a short time after Apple had issues with iCloud. Peoples passwords are compromised everyday because of doing stupid things. This is nothing new. This just puts fud in people's minds. And I'm not crazy. I guarantee you the next time Apple has some type of issue that could put fear in people's minds as to the security or quality of their products, within a few weeks, there will be some story leaked against an Android device, no matter how weak, showing them to be just as bad. Just watch and wait. It'll happen with Microsoft phones too, if they suddenly have a security problem there suddenly will be a release about Android security within a few weeks. Posted via Ash Williams Boom Stick!
  • It's as if all the sudden is the "it" thing.
  • Gmail is not Android. Posted via Android Central App
  • OK whatever. I'm just saying. It still has something to do with Google. But it doesn't really matter the fact is tons of tech companies get hit and they don't even have to report all of i, just a certain amount. Who knows how many times Visa or MasterCard has been hit. But they make so much money from fees and interest , they probably would never report how much money they've lost. There's no way they haven't been hacked. Everything online is open for business. Posted via Ash Williams Boom Stick!
  • Because bloggers and journalists are fanboiz, too.
  • Agreed, though keep in mind most people are ignorant as to how technology works. Posted via the Android Central App
  • I laughed but this is a serious matter. If mine wasn't written down I'd forget it. Upper lower alpha numeric no less than ten should be fine. Then again, is anything on the net!? njo¡! acApp
  • try last pass
  • +1 last pass is the best tool I've ever used. Well worth the $12/year for premium too. Posted via Android Central App on the Moto X
  • http://www.passwordcard.org/en I just leave a couple laying around. I know which to use and which pattern to use for each account.
  • 2 step authentication Posted via the Android Central App
  • +1 on LastPass if you use two-step. You need somewhere outside of Google and your phone to back up those emergency codes. Otherwise, you lose your phone and you're hosed.
  • After a while it just gets hard to believe anything Google/Android has to say about their security issues
  • What are you talking about? This security breach is most likely due to idiots who click on everything or use 1234 etc... as their password. If you have sensitive info in your email then you should get a harder password or use 2 step verification. Yea, Google might be lying but they offer ways to protect yourself. It's your choice to heed the warning. Posted via the Android Central App
  • Hey it's never my fault! It has to be someone else. I mean I should be able to have my password 12345 if I want to! I think I am going to sue someone!!!! (sarcasm)
  • That's amazing! I've got the same combination on my luggage.
  • No security breach
  • right, but this breach is not about gmail access only* we are talking about Google account, meant if someone got your email
    pass and user name they got into your Calendar, contacts, G+, settings, picasa you tube, drive, documents and whatever
    google apks sensitive info we have.
  • You're right, which is why (as has been stated) you should be cautious of where you enter your Google account info, and always use 2-step verification.
  • By the way, what security issues are there that you are referring to? Posted via the Android Central App
  • Don't feed the trolls.They're especially cranky lately.
  • This is merely survival of the fittest in the digital age... Hopefully younger generations have more common sense.
  • Have you met a twenty - something?
  • They're worse
  • For the most part yes they are. But I'm in my mid twenties and I am very security conscious online. I NEED last pass because my passwords are all different and contain every character known to mankind. Not to mention they are 20 characters long. On my Google account I have 2 step verification, so one would need physical access to my phone PLUS the password and username in order to log in. Posted via Android Central App on the Moto X
  • I'm twenty something. Please tell me how retarded I am. From my experience, the people with less common-sense I have met were under-16 or over forty. Posted via Android Central App
  • It's important to remember that those of us who visit and comment on sites like this represent a *tiny* percentage of the general consumer base of Android.  Let's say that there's 50,000 registered (and active) users on Android Central.  That would mean that we represent 0.005% of the 1 billion Android users in the world. So, when he says that 20-somethings are bad at security, he's really not talking about anyone here in any statistically significant way.
  • They don't/won't. There's nobody to teach it to them. Nobody has any sense, common or otherwise.
  • I would love to see this kind of thing taught in public schools. We need to bring back home ec, but instead of cooking and sewing, teach 16-year-olds how to not screw up their credit, how to manage basic online security, how to separate their online and offline personal lives.
  • +1
  • Agreed.  Basic digital literacy needs to be part of the core curriculum, at least at the higher levels of education.
  • Love me some 2-step verification. Posted via Android Central App
  • Preach!!!
  • Para-droid...changed mine anyway
  • I check mine it was 4years old. Last year i started using lastpass so i can keep my password secure and different. 84 percent with my lastpass security check is not bad for 146 passwords.
  • Two-step is really the way to go, at this point.
  • Exactly. It works and is not a hassle.
  • Definitely not a hassle. Hell, I got my 60-year-old mom to use it as soon as she got her first smartphone a couple of months ago.
  • After reading several articles, at this point it looks more like they got e-mail addresses used as log-ins for web sites (which is pretty common) and the passwords were for those sites, and may not be current. It's not " nothing to see here, move along," but a larger reason we should see MORE sites use complex passwords and two-factor authentication (giant monster mega bank, can you hear me?). I checked all my Google accounts and my family's accounts and no weird activity (well, mine looks weird sometimes because I use a VPN service when on public WiFi, and my Mobile hotspot IP says I am in a different city).
  • Finally kicked me over to two factor authentication.
  • Been using 2 step for awhile now. Posted via Android Central App
  • Found one of my gmail accounts on that list. I quickly changed my password, it wasn't a stupid weak password, and it was used only on that account.
    Later i found the complete leak file, cointaining the passwords, checked mine and it was a password used on some old service or online game. i've never used that password on my gmail account. false alarm! i can't remember exactly which service/game was responsible for that leaked credentials.
    my login was that gmail address, and the password was one of my generic-disposable-passwords which i often used for signing up to services, online games, beta tests etc usually if i stick to the game/service etc i change to a more secure and unique password. edit:
    have some supects
    a couple of old online games, mostly asian-mmorpgs that i've never played mora than once to test
    and a forum about tv shows that i subscribed only to access some content and never checked it again. found entries of that password mailed to me in plain text, by those services, no wonder it was leaked TL;DR - old password from 2007 from dead websites, never used on gmail.
  • It was basically the same thing in my case. A throwaway email with a throwaway password from another service.
  • Everyone do the 2-step. Yee-haw! Posted via Android Central App
  • All those saying that Apple Pay wasn't secure? Exactly. Apple and Google have secure services. Users just don't use their security.
  • "The biggest loophole is the meat sack"
    Not sure who said that, but it's true lol
  • Wow, so my email address was in there...I do have two-factor authentication turned on, at least. Haven't received a "change your password" notification from Google yet...
  • That didnt go well after activating 2 step my Droid Maxx won't acess gmail and when they sent me the code it kept telling me it was wrong. Moto connect quit working JEEZ
  • Two factor... Ftw Posted via Android Central App
  • How are you guys checking if your email was on this "list"? Posted via Android Central App
  • I'm pretty sure isleaked.com will show you if your account is on the list or not.
  • I got the list from a Russian forum post that was trying to shop around for buyers. They posted the list sans passwords and were looking to sell the passwords list. ~100 MB uncompressed txt file. I'd post it if I knew where, since I don't really want to distribute it on my server.
  • Oh God... My email is on there......
  • I recently transitioned to a Microsoft account, i guess i did the move on time :)
  • Hey is Taboola dangerous? You know Taboola uses interface like news articles that you like. Damn I HATE Taboola. Does anyone mknow how to block Taboola?
  • If you're rooted and running an ad blocker like AdAway or if you have a blacklist in your hosts file, just add api. taboola.com to the blacklist. That worked for me. If you're not rooted I don't think you can edit the hosts file. I might be wrong though. Maybe someone else will chime in on that. From the DeathStar using my rooted LG G2
  • So I wonder how many "your Gmail account password was compromised, please click here to change your password. Thank you Gmail security team" phishing emails are gonna go out. Posted via Android Central App
  • I am not worried about this at all. I don't follow any phishing links in emails, I don't install anything suspicious, and if they did happen to get my password my Google account has 2 factor auth enabled. You need the temp key from the authenticator app on my phone to log in. Posted via Android Central App on the Moto X
  • I'm so glad I use the authenticator as an extra level of security for my Gmail account.
  • I changed password, got off my lazy butt and set up the 2 step. Posted via Android Central App
  • so I just wasted 5 minutes reading this post about Google passwords being leaked and there are not new celebrity nude photos? there goes 5 minutes I'll never get back.
  • As we say in the tech industry in Australia. It's a Carbon based problem ? I Love My Mandroid ?
  • Hah, I like that.
  • Enable 2 factor authentication. Posted via Android Central App
  • 2 step verification, enough said Posted via Android Central App on GS5
  • I had a mostly throwaway email that was on the list, with a password that was shared with other accounts the email was used for (because I didn't care). I saw what my password was on the list, and with that and other evidence I've gathered, I can tell you two things:
    1) It's years old.
    2) It was most definitely a breach of another site (some forums, in my case) that shared the same password. Edit: Actually, the password was never even used for that throwaway email, so this is clearly a list from another service. IF some Gmail accounts were affected, it was because their Gmail account shared the same password as whatever service was breached.
  • I changed my password every 6 months Posted via Android Central App
  • I have changed my password just a few weeks ago (and also some months ago in the following of Heartbleed) so I did not change it this time. If I get a notice from Google I will
  • Turned on 2 step verification through my desktop. But Android phone now won't connect or sync to any google services/apps. What am I doing wrong? Many instruction lists and steps for the setup, but not sure why I feel confused?
  • Think I finally got it sorted.
  • I just found out that my gmail is safe! I checked at www.gmailleak.com. Check your account before it's too late.
    Stay safe!
  • Just an FYI...if you activate 2FA...make sure you at least sign into a Google service (like GMail) on another device you own and get a code for that one too. Ran into an issue yesterday where I needed to sign into Android Device Manager to actually find my phone...and I realized I hadn't used 2 other devices since switching over to 2FA. (i.e. you cant rcv the code on your phone when your phone is lost LOL) Might not be a bad idea to have a backup phone number either.
  • For those who don't want to download the leaked list. Check out http://www.askingeasy.com/check-if-my-email-is-leaked to see if your email is in the leak.
  • I may have suffered here as I have received numerous emails and phone calls, in response to false invoices that have been sent to businesses throughout the UK, from my freelance design service.