A list of almost five million Gmail addresses and passwords culled from various websites was posted on a Russian online forum Tuesday.
Mashable and other technology news websites reported that the leaked passwords are not necessarily those used to access Gmail accounts but seem to have been compiled from other websites, including some where Gmail addresses were used to register.
Several internet security experts who examined the leaked list, which was posted as a text file to the Russian online forum Bitcoin Security, reported on Twitter that the passwords appear to be several years old.
Danish cybercrime specialist Peter Kruse of the CSIS Security Group tweeted that the leak "likely originates from various sources" and that most of the leaked passwords are more than three years old.
'We've protected the affected accounts and have required those users to reset their passwords.' - Google Online Security Blog
Google, which operates the Gmail email service, said in a post on its Online Security Blog that less than two per cent of the username and password combinations posted online "might have worked."
"Our automated anti-hijacking systems would have blocked many of those login attempts." the post said.
"We've protected the affected accounts and have required those users to reset their passwords."
Google said the leak was one of several so-called credential dumps — the posting of lists of usernames and passwords online — that the company spotted this week.
The leak was first publicized in Russian online forums and media, including the popular technology website CNews, early Wednesday and then on a Reddit discussion forum.
Not a security breach, says Google
The leak does not appear to have been the result of a Gmail security vulnerability, and not all of the leaked email addresses were Gmail addresses — although the bulk were.
"It's important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems," Google said in its blog post. "Often, these credentials are obtained through a combination of other sources. For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others. Or attackers can use malware or phishing schemes to capture login credentials."
Software specialist Troy Hunt tweeted that about 123,000 of the approximately 4.78 million leaked addresses were part of the Russian email service Yandex. Addresses from the Russian-based service Mail.ru also appeared on the list.
Yandex and Mail.ru were hit by a separate hack earlier in the week that leaked millions of user addresses, the Russian news network RT reported.
Hunt runs the website Have I been pwned? which allows user to verify whether their data has been compromised through a breach and was in the process of importing the leaked list Wednesday afternoon in order to make the data searchable.
Those worried about the leak can also use the Russian site Is Leaked? to verify whether their Gmail addresses are on the list.
Several security experts said Tuesday's leak was a reminder to internet users to use a two-step verification system when signing into Google services, change passwords frequently and not use the same password across websites and services.
The technology website The Daily Dot reported that Google and Yandex told CNews that the leak was likely the result of years of phishing and hacking efforts but that those did not compromise the companies' databases.