11 hours ago
2
Google has called for calm amid a frenzy of sensational reports suggesting a Gmail security breach is affecting millions of accounts.
In fact, the source of the hubbub is a massive collection of breached credentials and data — comprising 183 million individual accounts — being uploaded to data breach information website Have I Been Pwned. Most of it is not newly breached information. Here’s what you need to know.
A massive trove of (mostly old) data has been uploaded to Have I Been Pwned.Credit: iStock
So Google hasn’t been hacked?
No, the data is not the result of a security breach at Google. And the overwhelming majority of it is not new in the sense that this is the first time it’s been posted online.
When crooks steal data or credentials, it tends to swirl around the internet, being copied to various massive collections that can be used to automate attacks or generate insights. In this case, a researcher at cybersecurity company Synthient has pulled a huge amount of data together from various sources and then shared the data with Australian cybersecurity expert Troy Hunt, who operates Have I Been Pwned.
Posting on X, Google said many online reports were false, and Gmail’s defences remained strong.
Loading
“The inaccurate reports are stemming from a misunderstanding of infostealer databases, which routinely compile various credential theft activity occurring across the web.
It’s not reflective of a new attack aimed at any one person, tool, or platform,” it said.
“Users can protect themselves from credential theft by turning on two-step verification, adopting passkeys as a stronger and safer alternative to passwords, and resetting passwords when they are found in large batches like this.”
Why was Google singled out in these stories?
The 183 million accounts represented in the data are not all from Gmail, so it’s singling out does appear to be the result of misunderstanding. Many articles, headlines and social media posts say explicitly that 183 million Gmail accounts have been breached, which is not the case.
In a post last week Hunt described his process of verifying the breached data, which included reaching out to people through the emails listed. Some articles have used this to say that the 183 million accounts have been verified, which is also not the case.
While Synthient and Hunt posted discussing the data last week, the online frenzy of articles and search traffic appeared to begin late on Monday, and may have been triggered by an accurate report on Forbes.com.
What exactly does the data contain?
Hunt received 2.6 terabytes of data, comprising 23 billion rows of credentials. But despite these huge numbers, the exposure of the data isn’t necessarily catastrophic.
Some of the data comes from stealer logs, which is the output of malware that has infected computers to report back web addresses, emails and passwords. There’s a large amount of repetition in these logs, so it takes some analysis to decide if anything is new or current.
Hunt said that from a sample of 94,000 entries, 92 per cent had been found in stealer logs previously. From 183 million accounts, that does mean there are millions of email addresses in this data that haven’t previously been marked as compromised.
Other data comes from credential stuffing lists, which criminals use to attack services where users may have re-used passwords. So for example they could take a password associated with your Vietnam Airlines account, and try it with your PayPal account.
What is Have I Been Pwned?
The data breach information website has been around for years and has become a go-to resource for finding out if your credentials have ended up in the hands of criminals. Hunt collates huge amounts of data taken from breaches into the system, allowing users to search through it without further exposing the damaging info. You can enter your email address or password to check if it’s listed in any breaches.
Have I Been Pwned also offers a service that will alert you if your email address appears in any data breaches, and an API businesses can use. Several providers of password management software use this API to automatically check user passwords against breached data.
What should I do to stay safe?
Just because you have a Gmail address, it doesn’t mean you’re at risk from this data breach, since there are billions of Gmail users. But it doesn’t hurt to check your address at Have I Been Pwned.
Loading
It will let you know if it’s found in any breach collections (the latest one is called “Synthient Stealer Log Threat Data”), so you can see what other types of data might also have been stolen.
It’s a good idea to change your password at any service your email is found, and activate multi-factor authentication (MFA) if possible.
As always, it’s poor digital hygiene to re-use the same password twice, and important services like email and banking in particular should have unique strong passwords, or be moved to passkeys or other MFA.
Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.
Most Viewed in Technology
Loading
