5 million gmail accounts compromised
September 10, 2014 11:35 AM   Subscribe

Last night, a hacker posted a text file on a cryptocurrency forum in Russia which contained 5 million Gmail accounts and associated passwords. It's probably time to change yours again.
posted by Chocolate Pickle (93 comments total) 18 users marked this as a favorite
 
Judging by the number of account names that are not available, 5 million is a drop in the bucket.
posted by goethean at 11:39 AM on September 10, 2014 [1 favorite]


One of my emails was in there, but the first two letters of the pass did not correspond to any password I've ever had. Changed the pass anyway, but still.
posted by Sticherbeast at 11:39 AM on September 10, 2014 [1 favorite]


The link to check your gmail account provided in the story is throwing a 502 error whenever I try to check mine.
posted by Thorzdad at 11:40 AM on September 10, 2014 [1 favorite]


Other coverage I've seen suggests that the list is compiled from other hacked sites, where people have provided their gmail addresses during registration - so the password is for the hacked site, not for the gmail account. Has this been debunked?
posted by dvrmmr at 11:40 AM on September 10, 2014 [1 favorite]


Yeah, it'd be more helpful with a bit more context. I'm a little leery of sending half of my ID to a random site.
posted by ChurchHatesTucker at 11:40 AM on September 10, 2014 [5 favorites]


Yeah, this seems iffy. Any reputable security folks verified this?
posted by gwint at 11:42 AM on September 10, 2014


Yeah, can anyone give us a bit more confidence in the linked "check your account" site, https://isleaked.com/en.php.
posted by benito.strauss at 11:42 AM on September 10, 2014 [1 favorite]


Wait so if you already use the 2-factor auth does this really matter at all?
posted by Doleful Creature at 11:42 AM on September 10, 2014 [6 favorites]


A comment on reddit suggested that these passwords were stolen from other sites like eharmony. It said that what someone has done is extract all the gmail addresses and tout this as a list of stolen gmail passwords, which they are if your are in the habit of using your gmail account and gmail password on 3rd party sites.
posted by epo at 11:43 AM on September 10, 2014 [4 favorites]


From a currently-updating post at Lifehacker:
We still aren't sure how these passwords were leaked or when—but some folks over on Reddit discovered that these may not, in fact, be Gmail passwords, as original reports claimed. Instead, it looks like these are passwords leaked from other web sites over the years that were associated with Gmail addresses. But, as we know, many people used the same password for multiple accounts—which is why some of you may find that your old Gmail password was leaked (while others are seeing passwords not from Gmail).
posted by zombieflanders at 11:44 AM on September 10, 2014 [6 favorites]


Mashable has more, including the very important detail that these aren't actually Gmail passwords, they're passwords from a site where users used their Gmail address as their login.
posted by tonycpsu at 11:44 AM on September 10, 2014 [3 favorites]


Other coverage I've seen suggests that the list is compiled from other hacked sites, where people have provided their gmail addresses during registration - so the password is for the hacked site, not for the gmail account. Has this been debunked?

FWIW, the two letters I saw did not correspond to the pass of any site which I can recall.
posted by Sticherbeast at 11:45 AM on September 10, 2014 [1 favorite]


I want to enable the 2-step verification thing but really all it makes me think is that the next time they're hacked, assholes will have my email password AND my phone number, leaving me even more vulnerable. UGH EVRYTHING STOP BEING TERRIBLE PLZ
posted by poffin boffin at 11:47 AM on September 10, 2014 [5 favorites]


If this were a real hack, would using 2-step authentication protect these users from this sort of thing?
posted by spikeleemajortomdickandharryconnickjrmints at 11:47 AM on September 10, 2014 [1 favorite]


Oddly, the checker site works fine with no Javascript, but the moment I enable JS on that domain it gives me a 502 Bad Gateway error. Strange.
posted by Pope Guilty at 11:48 AM on September 10, 2014


Yes but can you prove you are the real Sticherbeast
posted by prefpara at 11:48 AM on September 10, 2014 [1 favorite]


Finally got through to check. Both of my primary Gmail addresses weren't affected.
Got the 502 again when I tried checking the rest of my Gmail accounts.
posted by Thorzdad at 11:49 AM on September 10, 2014




See: Have I Been Pwned, which was put together by Troy Hunt.

It looks like they're being hit with a lot of traffic, so expect delays in opening the site and checking your email addresses.
posted by zarq at 11:50 AM on September 10, 2014 [6 favorites]


For those asking, https://www.google.com/landing/2step/#tab=how-it-protects

Yes it would have protected you, because they would need your phone (or one of your printed keys).
posted by czytm at 11:51 AM on September 10, 2014 [1 favorite]


FWIW, the two letters I saw did not correspond to the pass of any site which I can recall.

Maybe it was a site-created password you never had to change to something more solid, or a reset password that was recreated but again never updated?

I finally caved and went to two factor last week when I learned about the backup codes/solutions for international travel without a phone which is kind of a pain but probably worth it.
posted by jetlagaddict at 11:53 AM on September 10, 2014


Hmm. It has my gmail address, but the password is wrong and is probably out of date for the website it was stolen from.

Panic mode going from 'high' to 'normal'.
posted by YAMWAK at 11:55 AM on September 10, 2014


Hmm. It was the first two letters of a pretty weak password that I use for accounts I wouldn't use for personal information, e.g. when I have to register for newspaper comments or something. It's not my actual email password, though I just changed that too. But it's a good reminder to keep rotating out old passwords, since I'm using lastpass for a lot of it now. (I'm happy that the kinda terrible CMS that I use at work has FINALLY updated their settings to allow spaces and increase the max length from 10 to … I dunno, but my password is now a pretty long phrase, which is the way I prefer to roll for passwords I need to remember. I figure, if it works for Assange…)
posted by klangklangston at 12:01 PM on September 10, 2014 [2 favorites]


Thanks, zarq, for the link.
posted by barchan at 12:01 PM on September 10, 2014


Two-factor auth is the sending of a randomized code to your smartphone, voice phone, or other device, and then asking the user to parrot that code. There is no downside to activating it, other than perhaps giving users a mostly valid sense of security. Add some trusted devices for if your phone gets stolen.

I'd advise everyone to use at least 16-character unique passwords for all sensitive accounts, but I could be slightly paranoid. There's a few companies that anger me by having low password limits, though. Microsoft Live stuff is limited to 15 characters and my company's stock manager has a limit of 8 (???).
posted by halifix at 12:08 PM on September 10, 2014 [2 favorites]


I hate when a website requires some specific character requirement that isn't compatible with my random password generator. Like, say, requiring a capital letter but not as the first character. I'd much rather do a 2-step verification.
posted by mullacc at 12:14 PM on September 10, 2014 [2 favorites]


Hmm. It was the first two letters of a pretty weak password that I use for accounts I wouldn't use for personal information, e.g. when I have to register for newspaper comments or something.

Same. They've clearly matched my gmail address to some other account where I used my default non-secure password.
posted by Banky_Edwards at 12:15 PM on September 10, 2014 [1 favorite]


Judging by the number of account names that are not available, 5 million is a drop in the bucket.

I don't think it matters so much that it's unlikely to be my account or yours that was compromised. Having 5 million valid username/passwords for gmail out there seems like it will significantly increase the amount of spam in the world.
posted by foodgeek at 12:17 PM on September 10, 2014


Likewise. They've only got my "random website I don't care about" e-mail and not the personal one, and the password is my weak throwaway that's never been attached to the actual e-mail account.
posted by Holy Zarquon's Singing Fish at 12:17 PM on September 10, 2014 [1 favorite]


Well it appears my account isn't compromised. That's too bad; my gmail account was one I opened a few years ago for a couple of specific purposes and don't really use for anything else. I have long since forgotten my password and was hoping maybe the Russian hackers had found it for me.
posted by TedW at 12:19 PM on September 10, 2014 [20 favorites]


Jesus blood H, I can't even see how to change my password. Settings? Bloody hell.
posted by uraniumwilly at 12:23 PM on September 10, 2014


To change your password, go to settings (the gear in the top right) and then chose the 'Accounts and Import' tab. Changing your password is the first option on the page.
posted by YAMWAK at 12:27 PM on September 10, 2014 [3 favorites]


Looks like the only time one of my emails was compromised was in the giant Adobe fustercluck a couple years ago. Screw those guys.
posted by Justinian at 12:29 PM on September 10, 2014


No problem, barchan!
posted by zarq at 12:29 PM on September 10, 2014


uraniumwilly: Change your Google Account password
posted by ringu0 at 12:31 PM on September 10, 2014


Well, I'm fine but a friend of mine found hers was on the list. So report this out to your fam and friends, ya'll, not everyone practices impeccable email hygiene.
posted by emjaybee at 12:37 PM on September 10, 2014


The 502 error is probably to do with the load on the server. Refreshing with the same request will eventually make it work. It is not dependent on the data that you're submitting.
posted by WaylandSmith at 12:38 PM on September 10, 2014


UPDATE 3:01 PM Google issued the following statement to Fusion:

"The security of our users' information is a top priority for us. We have no evidence that our systems have been compromised, but whenever we become aware that accounts may have been, we take steps to help those users secure their accounts."

posted by Oddly at 12:41 PM on September 10, 2014


Thanks folks, for the password change help. Got it!
posted by uraniumwilly at 12:48 PM on September 10, 2014


So as long as your Gmail password is unique from all your other passwords, you should be fine?
posted by Jacqueline at 12:49 PM on September 10, 2014


So as long as your Gmail password is unique from all your other passwords, you should be fine?

Yes, generally speaking, you're better off using unique passwords for every account you create.
posted by ringu0 at 12:52 PM on September 10, 2014


So as long as your Gmail password is unique from all your other passwords, you should be fine?

With gmail, yes. This leak was of people's gmails addresses that are used as a login on other sites, and the passwords for those sites, not gmail.

It's best to make sure all your passwords are different for every site you use.
posted by zarq at 12:55 PM on September 10, 2014


I went through my Last Pass vault on Monday and updated/changed everything. Painful, but probably something worth doing on a periodic basis.

Fortunately, it doesn't look like either of my gmail accounts in part of this, which is good news.
posted by nubs at 12:56 PM on September 10, 2014


Dunno if this is helpful for anyone, but my mom uses DinoPass to generate random easy-to-remember passwords. There's also a nicely-customizeable random password generator at techzoom.
posted by zarq at 12:57 PM on September 10, 2014


ya'll

One day, perhaps one day soon, you will be suitably penalized for this apostrophe atrocity.
posted by aramaic at 1:11 PM on September 10, 2014 [26 favorites]


So as long as your Gmail password is unique from all your other passwords, you should be fine?

If it's true that these aren't google account passwords, but passwords to accounts on other systems that happened to be associated with gmail accounts, then yes.

But I'll remind everyone of one of the things this kind of leak means: would-be attackers have access to millions of real-world passwords. Now, most sites have at least half a clue about storing passwords and don't store the plaintext, but a hash of it. Sadly, most sites have no more than that half clue and don't salt the hash, so it's straightforward to prepare hashed versions of a whole list of millions of passwords. So if the attackers get far enough into a system to get the stored passwords, all they have to do is lookup the hashed version and they know the plaintext.

So that clever scheme you have to substitute numerals for letters? Or use the first letters from a line from the chorus of a pop song? If it's the same as one of the millions upon millions of passwords that have ever been leaked, you'd might as well use "cat". The only standard you should aim for if you don't want to be more vulnerable than necessary is that your passwords should be literally unique: a string of characters that has never before been assembled.

Counter-intuitively, it's suprisingly easy to randomly generate a string for which you can be highly confident that's true. Your password store's random generation function is doubtless good enough to do it. Use a password store; use random passwords.

Reliably, someone will respond to calls for strong passwords that relying on them is bad technology and humans don't work that way (which the password-recommenders, being inhuman, wouldn't understand), or even that it's victim-blaming to talk about there being practices that are more or less secure than others. Yeah, it'd be nice if I didn't have to lock my door either. While I wait for utopia, I'm going to lock my door, use strong passwords, and recommend both practices.
posted by Zed at 1:19 PM on September 10, 2014 [6 favorites]


There is no downside to activating it...

You're giving extra personal information about yourself to Google, or at the very least confirming what they already guess about you. That's why Google runs the two-factor system.

You could do two-factor differently, with equivalent security but without giving the information to Google. That arrangement is not available from many places, and none (to my knowledge) operate it in a way that would allow you to use the same second-factor at many disparate sites.
posted by spacewrench at 1:36 PM on September 10, 2014


Is the list visible somewhere, or is everybody here plugging their email addresses into one of these "check if you've been hacked" websites?
posted by cribcage at 1:38 PM on September 10, 2014


Oooh, while we're bringing up password generation and password stores, Bruce Schneier recently discussed password manager security on his blog. And methods for generating a memorable secure password.
posted by indubitable at 1:41 PM on September 10, 2014


You're giving extra personal information about yourself to Google, or at the very least confirming what they already guess about you. That's why Google runs the two-factor system.

That's a really cynical way to look at it. Google have plenty of legitimate reasons for ensuring the security of their users -- they're not providing two-factor authentication so they can mine your personal information.

Spreading information to the contrary is almost certainly undermining real-world security. Two-factor auth isn't perfect, but it's a very, very good idea.
posted by schmod at 1:44 PM on September 10, 2014 [11 favorites]


I always panic when I do Have I Been Pwned because I was on a Stratfor email list for about five minutes at one point, so my email was leaked there. But I wasn't subscribed or anything so I know all that was leaked was my email--no passwords or financial details. But the "you have been pwned" always makes my heart skip a beat.
posted by immlass at 1:44 PM on September 10, 2014


And there's few good options if you don't have a smartphone or tablet.
posted by CBrachyrhynchos at 1:46 PM on September 10, 2014


All Google knows about me from my using two-factor is that I have their app installed and running on a phone. I don't even think they know my phone number. Even if I had to tell them that, it would be well worth the security upside. I could change my email password to hunter2 and never have to worry about it being hacked as long as I hold on to my phone.
posted by Aizkolari at 1:55 PM on September 10, 2014 [1 favorite]


I'm also not confidant of Schneier's acronyms given how easy it is to trawl the Bible, Gutenberg, and lyrics databases for phrases.
posted by CBrachyrhynchos at 1:57 PM on September 10, 2014 [1 favorite]


Allegedly, this is the list of email addresses. It looks like the poster didn't release the passwords, just this screenshot in the bitcoin forum. (I got lucky and got to the bitcoin forum in a moment of its server not being crushed.)

So I'm not seeing that there's any more reason to think this is legit than that it's a hoax.
posted by Zed at 2:03 PM on September 10, 2014 [1 favorite]


Google promotes two-factor authentication because it significantly increases security. Lots of people use passwords like 123456 or dr4matic that are easy to hack, and a frighteningly large number of accounts are hacked every day. Two-factor makes that a lot harder.

IIRC, Google got serious about two-factor not long after their own internal systems were penetrated by Chinese hackers.
posted by jjwiseman at 2:10 PM on September 10, 2014


Thanks, Zed.
posted by cribcage at 2:13 PM on September 10, 2014


You're giving extra personal information about yourself to Google, or at the very least confirming what they already guess about you. That's why Google runs the two-factor system.

Nonsense.
posted by The Bellman at 2:17 PM on September 10, 2014 [3 favorites]


Google says less than 2% would have worked and they've notified and protected those accounts.
posted by BlackLeotardFront at 2:22 PM on September 10, 2014 [3 favorites]


When I redid my passwords after the whole Heartbleed Bug hype, I could not get my new passwords to work with Gmail with two-step verification on my Android phone (an HTC One). I ended up having to get rid of the two-step thing to get into my mail. So... no three cheers for two-step verification here.
posted by raysmj at 2:29 PM on September 10, 2014


And there's few good options if you don't have a smartphone or tablet.

Google lets you print out a business-card-sized sheet of ten one-time-use codes. They're one of the only two-factor authentication providers that allow you to do this, and I actually use this by default instead of the smartphone app.*

If you lose your sheet, they make it very easy to revoke any existing unused codes, and print a new sheet.

I believe that they also let you retrieve auth codes via SMS.

Google's two-factor auth system is very, very good. If you have a Google account, you should use it.

* My rationale is that it provides a slightly smaller attack surface -- if my passwords are stolen, there's a slight chance that my phone could have also been compromised. However, it's extremely unlikely for a single attacker to simultaneously compromise my passwords, and literally steal my wallet. If somebody manages to obtain both my passwords and my wallet, I probably have much scarier things to worry about.
posted by schmod at 2:35 PM on September 10, 2014


TedW: "Well it appears my account isn't compromised. That's too bad; my gmail account was one I opened a few years ago for a couple of specific purposes and don't really use for anything else. I have long since forgotten my password and was hoping maybe the Russian hackers had found it for me."

Try the NSA, they might be able to help you.
posted by symbioid at 2:45 PM on September 10, 2014


hunter2
posted by symbioid at 2:46 PM on September 10, 2014 [2 favorites]


You're giving extra personal information about yourself to Google, or at the very least confirming what they already guess about you. That's why Google runs the two-factor system.

You could do two-factor differently, with equivalent security but without giving the information to Google. That arrangement is not available from many places, and none (to my knowledge) operate it in a way that would allow you to use the same second-factor at many disparate sites.


As others have already pointed out, this is wrong. In fact, it's wrong in every possible way it could be wrong. Google doesn't get any extra personal information from you other than your phone number - which they ask for if you enable account verification anyway, so you can recover your password. The authenticator app used by Google is functionally equivalent to a RSA SecureID token. When you initially install it, it gets a seed value from Google's servers, and it uses this to generate temporary token values. It doesn't connect to Google's servers to do this - you can turn your phone's networks off entirely.

Google provides authenticator apps for Android and, I believe, iOS. For Windows phones, you can use the Microsoft authenticator app instead. The Google authenticator app can be used with third-party services like Dropbox or even generic Linux servers with a custom PAM module installed, so you can clearly use the same second factor (your phone with the authenticator app) at many disparate sites. Anyone can write an application that can use Google's authenticator.

Google's no saint, but their interests and their users' interests happen to coincide when it comes to account security. Google doesn't want its users to be compromised, because it's bad for Google. There's no reason to invent wacky conspiracy-theory BS here.
posted by me & my monkey at 2:59 PM on September 10, 2014 [13 favorites]


Cleaning up after password dumps on the Google security blog.
posted by GuyZero at 3:03 PM on September 10, 2014


This leak was of people's gmails addresses that are used as a login on other sites, and the passwords for those sites, not gmail.

Something seems odd about that. If they were scraped from some other sites, why would they only be gmail addresses and not addresses from other email services?
posted by ctmf at 3:17 PM on September 10, 2014


Google lets you print out a business-card-sized sheet of ten one-time-use codes.

Which requires phone or sms access to set up. So it's a chicken/egg problem for a service I'm slowly migrating away from.
posted by CBrachyrhynchos at 3:17 PM on September 10, 2014


I guess the file with passwords was originally there and later replaced with just the email addresses: people are saying they saw their own password in the file. So scratch what I said about there boing no reason to believe it's not a hoax.
posted by Zed at 3:18 PM on September 10, 2014


I like to imagine that somebody bought 5 million user/passes, but then they got scammed by somebody who only really had about two percent of that. Wheels within wheels...
posted by Sticherbeast at 3:24 PM on September 10, 2014


Since changing my password, my phone won't sync, even after inputting the new pw. This is why I don't like 2-factor authentication...I don't trust my phone enough to have it be my key to gmail.
posted by anazgnos at 3:26 PM on September 10, 2014 [1 favorite]


anazgnos, did you provision an app-specific password? I'd remove the old app password and make a new one.
posted by halifix at 3:48 PM on September 10, 2014


Every single comment in that reddit thread zombieflanders linked shows as "comment removed" for me. Is that SOP for reddit? Not being a redditor, I dunno.
posted by jfuller at 3:52 PM on September 10, 2014


@raysmj and @anazgnos: 2-factor doesn't work through IMAP and SMTP (almost certainly the way your phone will get/send mail). Instead, Google lets you setup "Application Paswords", which are passwords that only work over IMAP and SMTP but don't require 2-factor. Google will only show you the password once -- when you create it -- then you enter it into your phone settings and forget about it. Changing your main password later won't affect your Application Passwords, so you won't have to change them again. If you already had 2-factor setup then your mistake was putting your new password in your phone email settings; you should have left them alone!

2-factor isn't a magic bullet or panacea to the leaked password problems occurring lately. It is better, and makes it more difficult for hackers to get your account, but it can also be confusing to setup, manage, and understand.

Make sure you have that backup code somewhere safe. Or one day you'll lose your phone or have it stolen or simply upgrade it, and find yourself permanently locked out of your GMail.
posted by sbutler at 3:59 PM on September 10, 2014 [1 favorite]


it's wrong in every possible way it could be wrong

Sorry, but I didn't say two-factor was bad, or not secure, or not better than nothing. All I said was that Google runs two-factor the way they do because it's valuable to them to have a confirmed phone number on your account. You can run two-factor (on a phone, even) without telling the operator of the service your phone number. (You'd have to tell them some other piece of information, but it could be any random string, not something that discloses information about you.)

It is unquestionably valuable to a company like Google to have a solid, confirmed real-world contact point tied to an electronic profile. To pretend otherwise gives companies a free pass on the data harvesting, collating, and use that degrade many aspects of society, as well as on the creation and (inevitably) inadequate protection of vast caches of people's exploitable information.

It's true that I am cynical: I believe the reason Google sells such nice phones, so much cheaper than Apple, is that it's enormously valuable for them to have the information they get from everyone walking around with a Google computer in their pocket (where you go, when, whom you call, who calls you, etc.)

Again, they could have implemented two-factor differently, and in a way that did not require users to give up their contact information. If they had done it that way, users would still have been better protected and Google would probably have faced fewer attacks through compromised-user vectors.

Instead, they chose an implementation that provides those benefits, but also results in Google getting personal information they don't strictly need, that is valuable, and whose value many people underestimate or discount entirely.
posted by spacewrench at 4:21 PM on September 10, 2014


Personally, I did weigh the benefit of Google 2-factor over the privacy of giving Google my phone number. Especially since some of my (*cough*sockpuppet*cough*) accounts aren't ones I particularly want tied to my IRL identity.

But for me it made sense. I do value the Google services, and while I let Google know a shit ton about my life and that makes me uneasy, I also don't mind giving them a little more confirmed information in order to keep the hackers out. Plus, with a large enough database it's likely Google already knew this information anyway. It's probable that one of my friends has a contact entry on their phone that contains my real name, address, phone number, and email, and syncs this to Google's cloud.

I'm not saying the choice is right for everyone. And under different circumstances I might have made a different choice. But I don't think it's hugely conspiratorial. I think the primary benefit to Google in having your phone number is that it greatly cuts down on their support requests for password resets and claiming accounts.
posted by sbutler at 4:31 PM on September 10, 2014


Sorry, but I didn't say two-factor was bad, or not secure, or not better than nothing. All I said was that Google runs two-factor the way they do because it's valuable to them to have a confirmed phone number on your account. You can run two-factor (on a phone, even) without telling the operator of the service your phone number.

Well, no, what you said was: "That's why Google runs the two-factor system." These two statements are not the same ... at all. And, if you really want, you don't actually need a real phone number to set up Google's two-step verification. You could, if you wanted, use any phone number that can receive a message right now, and discard that number right after you're done. This would generally be a bad idea, because the phone number is (by default) used as a backup if you lose your authenticator itself. But you can certainly do it.

And you certainly don't need a phone number to use two-step verification once it's set up, if you installed the app on a smartphone or tablet. It doesn't connect to Google's servers once it's set up. The initial "connection" during setup involves reading a barcode from a web page - your device doesn't have to send a single message back to Google, or have a network connection of any sort. You don't "tell the operator of the service your phone number" while using two-step verification with the authenticator app.
posted by me & my monkey at 4:43 PM on September 10, 2014


Yes, these were used on other sites, and wouldn't be from gmail. Several people on 4chan /g/ posted links to the 100mb file on Zippshare/Mega/etc...

You'll find a fair amount of
****+xtube@gmail.com

Which for those that don't know about Gmail addresses:

username+anything@gmail.com delivers to username@gmail.com and you can setup a filter based upon that. Handy for known spammy sites.

user.name@gmail.com is the same as username@gmail.com and same as u.s.e.r.n.a.me@gmail.com. Gmail ignores periods.


Some of my favorite password/user combos ones have been searching for "lawyer"... Looking at you with the password "tankdog"!
posted by wcfields at 4:45 PM on September 10, 2014 [5 favorites]


According to the reddit thread, searching for + in the addresses turns up which sites they were registered for in many cases. The number one result was 'xporn'
posted by empath at 5:17 PM on September 10, 2014


None of my addresses were listed. Also, I need to stop making new gmail accounts.
posted by angerbot at 5:51 PM on September 10, 2014 [1 favorite]


I do value the Google services, and while I let Google know a shit ton about my life and that makes me uneasy

At some point in the near future, I plan to go to my Google account(s) and switch the gender in my profile. I'm hoping it will throw a bit of a wrench into their algorithms, at least with respect to how my data is being used.
posted by nubs at 5:52 PM on September 10, 2014


I didn't see that this has been posted yet: IsLeaked.com registered 2 days before Gmail leak public

It's scary that people will enter their email address into some random website they'd never heard of before.
posted by desjardins at 6:21 PM on September 10, 2014 [6 favorites]


It's scary that people will enter their email address into some random website they'd never heard of before.

I suggest the mods replace the FPP link with Have I Been Pwned?, which at least is credible.
posted by His thoughts were red thoughts at 7:10 PM on September 10, 2014 [3 favorites]


It's scary that people will enter their email address into some random website they'd never heard of before

I'm not saying it's not a good practice to wonder why a site is up, but serious question... what are you afraid of? It's an email address. (And you are aren't even attaching any data to it beyond... an email address.) It's not like it's crazy personal information. Are you worried about spam? Google pretty much nails that one and you never see it. Someone random person might... have your email address?
posted by aspo at 10:15 PM on September 10, 2014 [1 favorite]


This is a false alarm. There is no need to change any account passwords.

Thank you for your interest in this matter.
posted by NSA at 10:33 PM on September 10, 2014 [2 favorites]


My email address was in it. The first two letters of the password match my pathofexiles password. Possibly others, but I can't remember.
posted by stavrogin at 11:05 PM on September 10, 2014


IsLeaked.com registered 2 days before Gmail leak public

There were similar alerts for Yandex and Mail.Ru over the weekend, and the site does indeed default to Russian and cover these as well, so it's pretty likely that it was built for the earlier alerts.

So chances are that someone got their hands on an old list and has been splitting it up by domain, generating a steady stream of "Site X has been cracked" alerts (there's also some speculation that someone's trying to make some point in relation to the ongoing Internet crackdown in Russia).
posted by effbot at 2:40 AM on September 11, 2014


This makes me happy that (a) I have been enabling 2-factor login for every Google Authenticator-compatible site that I use (don't want to rely on SMS codes, because no text plan, and prefer to keep all codes in one place) and that (b) I just in the last week broke down and paid for 1password family pack + iOS app to ensure all my tech was up to snuff.
posted by caution live frogs at 6:43 AM on September 11, 2014


Every single comment in that reddit thread zombieflanders linked shows as "comment removed" for me. Is that SOP for reddit? Not being a redditor, I dunno.

You'll find that in the more heavily moderated subreddits. /r/AskScience, for example, deletes opinions and blatantly wrong answers. I'm not sure what /r/NetSec's policy is.
posted by Nonsteroidal Anti-Inflammatory Drug at 9:27 AM on September 11, 2014


Man alive. I think they probably got my old PW from the Chinese Invasion hack of a few years back but I'm checking. also i have 2-factor having spent about 50 hours recovering from the previous breach.
posted by Mister_A at 10:55 AM on September 11, 2014


Hey is that file supposed to just be a list of names? I dont see any PW in Mac Mavericks/TextEdit
posted by Mister_A at 11:02 AM on September 11, 2014


NVM just read this translated text: Here is lined full database without a password, only for personal checks, do not hit if your mailbox in it.

Must've replaced the file with the address only one I've got.
posted by Mister_A at 11:09 AM on September 11, 2014


but serious question... what are you afraid of? It's an email address

It's your valid email address. Trust me, it's worth something to the right people.
posted by ChurchHatesTucker at 12:43 PM on September 11, 2014


But there's no me associated with it. I can get being able to link ME with my email address could be worth something (although to be honest that's not hard to do already) but the existence of an email address somewhere out there? what does that give you? Doubly so considering it's connected to a system that does a remarkable job of making me not even remember that spam exists.
posted by aspo at 4:06 PM on September 11, 2014


« Older Redder and redder, and prettier and prettier.   |   The Millionaire's Magician Newer »


This thread has been archived and is closed to new comments