Millions of IDs and passwords were leaked online yesterday

Sep 10, 2014 13:23 GMT  ·  By

A massive database of usernames and passwords were leaked online yesterday on a Russian forum. The trove of data contains details belonging to nearly 5 million Google users and give access to Gmail, Drive and basically everything that means a Google Account.

The passwords that were listed on the forum were in plain text, which means that the encryption had been broken, making it easy for anyone to take over an individual’s account.

The passwords have since been deleted by the forum admins, but the data is still out there somewhere. If you want to see if your account is in danger, you can visit the ileaked.com website, which went through the data and offers people the opportunity to search and see if their accounts are now vulnerable.

Changing your password

Regardless if the site returns a yes or no answer, you should probably take a look at your own account and make sure that the security around it is up to par.

First off, you should probably change your password. To do this, you should to go your Account and the Security tab.

Google has started to recommend users to pick pronounceable passwords to make it easier to remember, even though that may not always be the best solution security-wise. If you swap a few letters here and there, however, it should be quite ok.

You should also remember to use both capital and lower case letters, numbers and various dashes, hashtags and signs you can find on the keyboard. This will instantly increase the security level of your password and make your account that much safer.

As you go through the process of replacing your password, you’ll have to provide the current one and the new one as well. Google will ask for 8 characters and will tell you, as you type, if your password is strong enough.

You should also make sure that you don't use the same password for multiple accounts.

Two Step Verification

If you really want your account to be safe, you should enable two-step verification. Google takes things pretty seriously so your account should be quite safe. Unlike other services, Google will ask for this step to be taken every time you use a new computer, use a different IP, or it even detects if you’re much further way from where you usually log in from.

You can set it up to send verification codes to a phone number that you use. These can be sent via text message or you can get a voice call. Alternatively, you can use the Google Authenticator app which you can find in the app stores. It provides unique codes that are only available for a limited time period.

You can add some backup options for when your primary number is unavailable, such as the one of your significant other, or a friend you trust. There are also 10 backup codes that Google generates for you and that you could write down and use in case of emergency.

Beware of phishing attempts

It’s still unclear exactly how the hackers picked up the data that was leaked, but chances are very slim that the Google servers were hacked because inside Google’s servers data like passwords are encrypted, whilst the leaked information is in plain text.

This means that the passwords were mostly likely picked up during lengthy phishing campaigns. These are most often than not emails that appear to be genuine.

If you receive an email from Google telling you that you should change your password, you should not follow the link inside the message. The safest way to do this is to go to your Google account and change your password directly from the settings area any time this is needed. This applies not only to Google, of course, but to all online accounts.