gmail passwords leaked

[Zee]

Aw damnit. I forgot to bring a temporary code with me to work, now I can't log in to my Gmail -- stopped bring my cell phone everyday a while back because it's bulky.

wtf what is the point of having a mobile

 

[Red Squirrel]

No they didn't...at least not through Apple or Google servers/services. They phished, engineered users, infected user systems, cracked other weaker sites or whatever else, but neither Apple nor Google servers or services were breached.

You don't gain access to thousands of accounts in a single instant through phishing. There's more to it than these companies are willing to admit.

 

[Gooberlx2]

You don't gain access to thousands of accounts in a single instant through phishing. There's more to it than these companies are willing to admit.

From what I've read, just like the fappening, it likely wasn't a single instance collection. Instead it's a collection from other compromised websites where people used the same login credentials.

 

[Platypus]

From what I've read, just like the fappening, it likely wasn't a single instance collection. Instead it's a collection from other compromised websites where people used the same login credentials.

don't try to reason with it, you're wasting your time

 

[Kaido]

Mine is on it, but none of the passwords match up to anything I've ever used. Weird.

 

[lxskllr]

Aw damnit. I forgot to bring a temporary code with me to work, now I can't log in to my Gmail -- stopped bring my cell phone everyday a while back because it's bulky.

and this is why I don't use 2 factor authentication. I'd rather do it with a password/gpg key combo. That way doesn't rely on a specific electronic device to access the account.

As to the why .7z... 7z is my cross platform archive of choice for large files. Small stuff I use zip, and for GNU/Linux only, I use tar.gz. Rar is anti-social, and shouldn't be used for anything.

 

[Crono]

I also don't use 2-step verification, and don't plan to. Maybe if I get bitten I'll start. It's a tradeoff for me - phone number is a personal information that I'm unwilling to provide to 3rd parties like Google, Facebook, Microsoft etc. who seem to be in business of collecting such info. And the gain is some extra security, and not that much since by far the biggest threat to me is someone getting hold of my phone.

Using an authenticator app doesn't give anyone you phone number. But if you are using a smartphone, there are apps like Facebook (and others, including some potentially shady ones) which can see your phone number and contacts unless you specifically block access using root privacy controls like XPrivacy or App Ops on Android.

Now if you are using a dumb phone, you are safe from that. I think there's even a standalone Java-based authenticator application that works for some feature phones, though.

People should be turning on encryption on any and all smartphones, including microSD encryption if your hardware supports microSD. Especially if you sell or give away your old phones, because it's possible for someone to recover data off them even if you factory reset.

 

[Red Squirrel]

From what I've read, just like the fappening, it likely wasn't a single instance collection. Instead it's a collection from other compromised websites where people used the same login credentials.

Hmmm did not realize that's what it was, the news is very missleading then as they seem to say it's google that got hacked. I think it's more important to know which site got hacked and the blame should be on them, not Google. The news makes it sound like it's gmail that got hacked.

 

[CZroe]

The website I used to check my address tells me that they do not filter the periods out of the leaked usernames or the search queries. Because Google IGNORES periods and will deliver n.a.m.e@gmail.com or na.me@gmail.com to name@gmail.com, a lot of people will THINK they are safe when they check and may not change their passwords!

Even if you use [first initial].[lastname]@gmail.com as your email, the leaked list may have the period filtered out. You will have to search for your email with and without the dot! If, like me, you sometimes used the quirk to sign up for something with a variant of your typical address, you may find it impossible to reliably check using that tool. Why might someone do that? To use the same email to register for something a second time or use it to identify who leaked your email ("I only used that variant of my gmail address on that one particular website and now I'm getting seemingly unrelated spam with that same arrangement of periods in the username!").

 

[Red Squirrel]

Forgot about the period issue. Can use some text manipulation commands like tr in Linux to get rid of it.

I hope you guys arn't actually inputting your addresses on these random sites, right? :| I would not really trust those. Use the list posted a while ago and just do a grep search.

Something like this:

grep -i [username] google_5000000.txt | tr -d "."

Mine is not in there so I'm good. Though, not sure how accurate that list is.

I don't really use gmail though but it is tied to a few things I used like adsense and youtube, so I changed my password anyway to be safe.

In fact I should go around and change ALL my passwords for all services. For most things I use a password database anyway and don't actually know them by heart.

 

[pontifex]

one of my emails came back as a positive (leaked) result, but the partial password it gave was not correct.

i wonder if the list is outdated

one article i read said it was outdated.

 

[iCyborg]

Using an authenticator app doesn't give anyone you phone number. But if you are using a smartphone, there are apps like Facebook (and others, including some potentially shady ones) which can see your phone number and contacts unless you specifically block access using root privacy controls like XPrivacy or App Ops on Android.

When I go to Google Authenticator web site, the first step is:

Setting up the app

1. If you haven’t already, complete the SMS/Voice setup and enroll your account in 2-Step Verification using your phone number.

Are you saying I can skip this step?
And the need to download barcode scanner app is also offputting...

I don't have facebook app, I only installed and used 3-4 apps in the last 3 years. Google can probably get to my number since I have an android phone and I need to use google account for Play Store. But technically they shouldn't associate it with google account. I'm still pissed how linked-in pulled in my gmail contacts even though I (thought I) was careful not to allow this on both linkedin and gmail. I must've missed some small print somewhere at some point, I've seen some lawsuit against linkedin at the time too...

It's like backups, I do them very infrequently. I need to get burned to get my lazy ass moving...

 

[bradley]

Hmmm did not realize that's what it was, the news is very missleading then as they seem to say it's google that got hacked. I think it's more important to know which site got hacked and the blame should be on them, not Google. The news makes it sound like it's gmail that got hacked.

Very misleading. It was actually a wide majority of the Internet, including Google, who were infiltrated during Heartbleed.

Not only that...

Google knew about Heartbleed for around a month and never told anyone
http://bgr.com/2014/04/15/google-heartbleed-security-patch/

GRC: Google Chrome Only Blocks 3% of Sites Compromised by Heartbleed. Yikes!
http://news.softpedia.com/news/GRC-...-Sites-Compromised-by-Heartbleed-439928.shtml

And while Apple wasn't affected directly by Heartbleed, the Gotofail bug did trick iOS and Mac devices to accept invalid SSL certificates....

Apple's 'goto fail' tells us nothing good about Cupertino's software delivery process
http://www.zdnet.com/apples-goto-fa...ertinos-software-delivery-process-7000027449/

Let's also remember the Android's WebView exploit that provided *full control* of remote devices. Hackers developed tools that allowed virtually anyone to exploit this flaw, of which a majority of Android devices still appear vulnerable.

New Android 'Fake ID' flaw empowers stealthy new class of super-malware
http://appleinsider.com/articles/14...empowers-stealthy-new-class-of-super-malware-

End-users have short memories and hackers capitalize on that fact.

 

[RossMAN]

there's absolutely no reason not to use google two factor authentication with your gmail in my opinion.

Thanks to everyone who mentioned this, I didn't even know Google offered this, until now.

https://www.google.com/landing/2step/