An archive file of 5 million Gmail addresses and plain text passwords have leaked online. Possibly 60 percent of the information is valid. Security experts don't want users to worry too much.
Much of the information posted to the Bitcoin security forum btcsec.com by username "tvskit" is three years old. Many of the leaked passwords also don't correspond directly to Gmail or Google accounts. Users have registered to other sites with their Google addresses, but used different passwords than the ones for their email account.
"We believe the data doesn't originate from Google directly," Peter Kruse, the chief technology officer of CSIS Security Group, told PC World. "Instead it's likely it comes from various sources that have been compromised."
CSIS is a Danish security company that provides cybercrime intelligence to financial institutions and law enforcement. The company confirmed at least five of the leaked address and password pairs were never used as log-ins for Gmail or Google accounts. However, CSIS did find much of the data legitimate.
"We can't confirm that it is indeed as much as 60 percent, but a great amount of the leaked data is legitimate," Kruse said. He thinks a single individual or group hacked the information, but that it probably came from outside Google.
"The security of our users is paramount importance to us," a Google representative told PC World. "We have no evidence that our systems have been compromised, but whenever we become aware that an account has been compromised, we take steps to help our users secure their accounts."
A U.S. security firm revealed a much larger breach of Internet log-ins last month. Hold Security uncovered that Russian hackers had stolen 1.2 billion usernames and passwords and affected 420,000 websites. Hackers worked for years to collect the personal information databases, according to the security firm.