Google Locks Down Stolen Credentials

Search Giant Says Its Systems Were Not Breached
Google Locks Down Stolen Credentials

In the wake of a list of 5 million stolen Gmail usernames and passwords appearing on the Internet, Google says it has locked down all affected accounts. The search giant says that it's detected no breach of its systems that might have resulted in the credential dump and suggests the information came from other sources.

See Also: Global State of Identities: Optimizing Identity Proofing

"We're always monitoring for these dumps so we can respond quickly to protect our users. This week, we identified several lists claiming to contain Google and other Internet providers' credentials," Google's spam and abuse team says in a "cleaning up after password dumps" blog post.

The information reportedly first surfaced on Russian cybercrime forums, and was soon circulating via file-sharing sites and BitTorrent. "It's important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems," the company says. "Often, these credentials are obtained through a combination of other sources."

Many of the leaked credentials appear to be at least three years old, and to relate primarily to U.S. and U.K. users, according to a Danish language analysis of the password dumps published by Peter Kruse, an e-crime specialist at security firm CSIS Security Group.

Google says most of the leaked credentials would have posed little risk to Google service users. "We found that less than 2 percent of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts," the company reports. "We've protected the affected accounts and have required those users to reset their passwords."

Security experts have commended Google for quickly reviewing the leaked data and locking down at-risk accounts in the wake of the credential leak. "Kudos to Google for analyzing the contents of the password dump and releasing information in a blog post following disclosure," London-based Gavin Millard, who's the European, Middle East and Asia technical director at Tenable Network Security, tells Information Security Media Group. "Follow their good advice and use two-step verification for login, if you don't already, to protect your account."

Gavin Millard at Tenable Network Security discusses the credential dump

Leak Source Remains Unknown

The question of where the dumped credentials originated remains unanswered, although many security experts suspect they were amassed using a combination of phishing e-mails, botnet-backed malware infections on consumers' PCs, and hacks of third-party sites, all of which would have captured numerous credentials, not just related to Gmail users.

"The leaked passwords are more than likely from a larger cache, probably multiple ones, that an enterprising hacker spent a few minutes 'grepping' through for @gmail addresses," says Millard, referring to the Unix command-line utility grep, which can be used to search plain text for data that matches a given expression. "It's pretty common following a password dump that they are searched through for useful domains like corporate addresses for further exploitation."

If the dumped credentials didn't come from a breach of Google's systems, that means the leaked passwords associated with the Google usernames - which also function as Gmail addresses - were likely created for other sites. But because many people reuse their passwords across multiple sites, the risk now is that attackers could use the leaked credentials to log into any site at which a user registered using their Gmail address and the reused password.

"Internet surfers tend to use the same passwords for multiple sites. Although there are reports that some of the leaked Google credentials are multiple years old, there is still a great threat to user account security -­ how many people are actually changing their password on a regular basis, and how many other sites does a compromised user use the same password?" says Ryan Wilk, a director at anti-fraud firm NuData Security. "Hackers will test the stolen credentials on websites where valuable information can be gleaned, like those of banks and other e-mail service providers."

Confusion Over E-mail Subdomains

Based on a review of the credential dump, which was obtained by Information Security Media Group, the leaked data includes a number of e-mail addresses that include a plus symbol in the username, followed by a text string. That's led multiple commenters - on numerous Internet forums - to ask whether the text provides clues to the origin of the leaked data. Of the nearly 5 million leaked credentials, for example, 176 include "+xtube" appended to the e-mail username, 133 include "+daz" and 57 include "+spam." Other words that appear after a plus sign include "eharmony," "Friendster," "bioware," "freebiejeebies," "policeauctions" and "savage."

The text strings may not refer to breached sites, but rather users' shorthand notes. "Reviewing the dump, many have commented on the use of + after the username pointing to other domains that could have been breached. Personally I don't think this is accurate - or that the other sites mentioned have been breached," Tenable's Millard says. "It's more likely that when signing up for a service the users took advantage of the age-old hack of username+sitename@domain, part of RFC5233, to tag when e-mail was being received from the service being signed up for."

RFC5233 is a little-known Internet standard for e-mail subaddress extensions. As Millard notes, it allows people to add a tag to their e-mail addresses, for example, to make a note to themselves about the name of the site on which the address was being registered.

"It's something that people used quite a long time ago ... I can remember doing this probably 10 or 15 year ago, when we first started signing up to websites with our e-mail addresses to get further information," Millard says. "We were really concerned with people spamming us. Back then, you probably got five or 10 e-mails a day, and didn't want to be annoyed by spam, so you'd use this sub-addressing, it's called, 5233, to be able to tell that someone was sending you an e-mail."

Resources For Reviewing Dumps

For anyone who's concerned about whether their Gmail address was included in the leak of 5 million Google usernames, a number of sites are now offering to alert those affected. One option includes a free service from Danish endpoint security vendor Heimdal Security, which is owned by CSIS.

Millard, meanwhile, recommends the free Have I Been Pwned? service, which is run by software architect Troy Hunt, and which has recently been updated with the password cache. The service enables users to register their e-mail address and receive an alert whenever that address appears in a credential dump that's been indexed by the site.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.