It’s good news/bad news time. The bad news is that someone got his or her hands on nearly 5 million Gmail addresses and corresponding passwords and made them all public. The good news is that even if your Gmail address is on the list, the password may be too old to merit much concern.
The Russian tech blog Habrahabr theorizes that the leaked Gmail addresses and passwords were most likely compiled through phishing scams, use of weak passwords and other common compromises, not as a result of a hacked Google server. Similar databases of email addresses and passwords from Yandex and Mail.ru, two popular Russian-language services, were made public earlier this week.
You can use a site called, appropriately enough, “Is my email leaked?” if you’d like to check the status of your Gmail, Yandex, or Mail.ru account. The site itself is safe, and you can even give a shortened version of your email address with asterisks if you’re concerned.
Earlier today (Sept. 10), Australian security researcher Troy Hunt tweeted that he’d soon be adding the Gmail addresses to his own haveibeenpwned.com compromised-email checking website, which aggregates the results of large password dumps.
Based on an informal poll of the Tom’s Guide New York office, not that many people seem to be affected by this data dump. This makes sense when you consider that Gmail has more than 500 million users and the password breach affects fewer than 1 percent of them.
Even if you’re one of the 5 million affected, you may not have to worry. Many of the passwords on the list are outdated, tweeted Peter Kruse of Danish security firm CSIS — some by as long as three years. If you change your password on even a semi-regular basis (as Gmail recommends), cybercriminals most likely have no way to access your account or personal information.
If your account has been compromised (or even if it hasn’t, and you want to be safe), change your Gmail password to something totally different, and consider adding two-step verification to your account. Otherwise, just remember that password breaches are relatively common but also tend to get overblown in mainstream-media coverage.