gmail passwords leaked

[herm0016]

2 step would be a real pita when I only have a computer to access my email. no phone or other devices and on slow satellite based connections. sounds like you must have 2 devices with data connections to use it.

 

[Gooberlx2]

2 step would be a real pita when I only have a computer to access my email. no phone or other devices and on slow satellite based connections. sounds like you must have 2 devices with data connections to use it.

They can do SMS to any cell phone or even automated voice call to a landline. But yes, there has to be a second trusted device involved in the process.

 

[It's Not Lupus]

With Gmail, there are also one-time backup codes. You could keep one or few codes in your wallet for example. I would keep the code in my wallet unlabeled, nothing that says what it's for.

 

[Red Squirrel]

Sure glad I moved my domain admin contact off gmail... I realized at one point that if someone hacked gmail they could technically take all my domains. Quickly moved everything off gmail as just the sheer thought of that was frightening. It seems big companies just don't care about security anymore. Everybody is getting hacked left and right.

Target, Home Depot, Apple, Gmail... just to name a few recent ones.

 

[Imp]

And I just turned on 2 step verification for my gmail account... Not as much of a pain as I thought. Just turned on trusted device, generated backup passwords, and sent a verification text message to my phone.

 

[Red Storm]

Sure glad I moved my domain admin contact off gmail... I realized at one point that if someone hacked gmail they could technically take all my domains. Quickly moved everything off gmail as just the sheer thought of that was frightening. It seems big companies just don't care about security anymore. Everybody is getting hacked left and right.

Target, Home Depot, Apple, Gmail... just to name a few recent ones.

Google didn't get hacked. Neither did Apple.

 

[akouocoop]

I feel pretty confident these aren't gmail passwords, but are from other places.

Can confirm. These are from another site that used a gmail address as login. Mine is leaked, but with my throwaway password, not gmail password.

 

[Red Squirrel]

Google didn't get hacked. Neither did Apple.

Well whatever it is, compromised or w/e way you want to call it, someone managed to get access to part of their servers where passwords are stored.

Which brings us to another thing... why the hell are they storing this info in clear text? Or was this hacking more of a packet sniffing type of hacking due to an unsecured switch or other network device where they just got passwords of people as they were logging in during a certain time frame? But even so, it should be done over HTTPS.

 

[KillerBee]

Google didn't get hacked. Neither did Apple.

Yeah I think that's point which seems to have been misinterpreted by the press.

They cracked other sites/forums over the years - not gmail itself
then only released a list of users who had a gmail address associated with those compromised sites.

I guess people who see their own email and password listed
probably use the same password everywhere

ie: they also have tons of other email accounts like xxxx@yahoo.com
but they released the list by domain and xxxx@gmail is the biggest

It doesn't mean they cracked yahoo or have your actual yahoo password
it's just the account on the forum which they did crack
was associated with an xxx@yahoo account and they have the password to that account on that forum.

So only need to worry if you use same password everywhere
or use the same gmail password on another account/site
Which you should never ever never ever do

 

[Strk]

And I just turned on 2 step verification for my gmail account... Not as much of a pain as I thought. Just turned on trusted device, generated backup passwords, and sent a verification text message to my phone.

Same. I was expecting it to be annoying, but that was pretty painless.

 

[IronWing]

Q: If you know someone's gmail address (or any email address) what is to prevent you from attempting to login multiple times with incorrect passwords and thereby locking the user out? And doing so daily? Sort of a DOS attack on a specific address?

 

[jpiniero]

Q: If you know someone's gmail address (or any email address) what is to prevent you from attempting to login multiple times with incorrect passwords and thereby locking the user out? And doing so daily? Sort of a DOS attack on a specific address?

My guess is that you would get an IP ban eventually.

 

[Imp]

Q: If you know someone's gmail address (or any email address) what is to prevent you from attempting to login multiple times with incorrect passwords and thereby locking the user out? And doing so daily? Sort of a DOS attack on a specific address?

I realized that recently... Then I tried looking for lockout details for Google log-ins and couldn't find one. They have a "suspicious activity" monitor, which I hope includes a lockout.

 

[KillerBee]

Q: If you know someone's gmail address (or any email address) what is to prevent you from attempting to login multiple times with incorrect passwords and thereby locking the user out? And doing so daily? Sort of a DOS attack on a specific address?

Depends on how the site handles it.

ie: vBulletin forums by default will allow 5 bad passwords then lockout account for 15 minutes and send an email to the account owner -

Hopefully the account owner will notice the email notifications piling up and suspect something is going on eventually. In the meantime this 15 minute lockout should be enough to discourage the hacker and they will move on to some other victim.

 

[SKORPI0]

isleaked.com

.

Not sure if I'll even put trust in that site. Could be a site that collects gmail/IP addresses.

 

[KillerBee]

Not sure if I'll even put trust in that site. Could be a site that collects gmail/IP addresses.

Yeah - I think checking the list yourself is the safest - well hopefully its the same list.

http://forums.anandtech.com/showpost.php?p=36700089&postcount=36

 

[SKORPI0]

Yeah - I think checking the list yourself is the safest - well hopefully its the same list.

http://forums.anandtech.com/showpost.php?p=36700089&postcount=36

Thanks, didn't read the whole thread.. missed that post.
Found one that could be mine but with added 01 on the address, which I don't use in any on-line account, just for email.

 

[KillerBee]

Thanks, didn't read the whole thread.. missed that post.
Found one that could be mine but with added 01 on the address, which I don't use in any on-line account, just for email.

yeah - unfortunately that list only shows email adresses - no passwords

It would help if we could download a list containing both emails and passwords from somewhere
so we would know where it came from to change the password - if you do happen to use a different password for every site

 

[Fenixgoon]

isleaked.com

That's the link you go to to check if your password was one of the ones leaked. I'm curious to see if any ATOTer's account got leaked. Apparently mine wasn't.

Also: Two factor authentication. Use it. Live it. Believe in it.

one of my emails came back as a positive (leaked) result, but the partial password it gave was not correct.

i wonder if the list is outdated

 

[ViviTheMage]

yup, mine was leaked...damn wonder how.... it's a pw I used probably 5 years ago too.

I just don't like seeing my email anywhere like that ... feels dirty.

 

[Gooberlx2]

Well whatever it is, compromised or w/e way you want to call it, someone managed to get access to part of their servers where passwords are stored.

No they didn't...at least not through Apple or Google servers/services. They phished, engineered users, infected user systems, cracked other weaker sites or whatever else, but neither Apple nor Google servers or services were breached.

 

[Raduque]

This is true. Your primary email is the key to every other piece of information about you. If they can get in there, they can see you're getting emails from banks, financial institutions, social media accts, etc. They can then issue reset pwd requests from those locations and get access to everything you own on the Internet.

Think about that the next time your mom wants to use "password1" for her password.

Ugh, my Aunt was, until Tuesday, keeping her passwords in a spreadsheet on her desktop in plaintext. The xls wasn't even password protected!

 

[Mai72]

wise move, also worthwhile within gmail every now and then to check the very bottom right corner where there's a details link for account activity. it will show your last XYZ number of logins and what IP address it came from.

I never knew that.

Thanks.

 

[iCyborg]

Ugh, my Aunt was, until Tuesday, keeping her passwords in a spreadsheet on her desktop in plaintext. The xls wasn't even password protected!

I have a text file with passwords in one of the folders on my desktop
Firefox has passwords remembered so I figure there isn't much point in encrypting the file - if someone manages to get into my apt and to my desktop, I'll have bigger worries than hacked gmail account. The vast majority are low impact anyway, like ATF username/pass. The only exception is my banking account - it's not remembered by FF, nor stored anywhere, and the passwords are different from any other.

I also don't use 2-step verification, and don't plan to. Maybe if I get bitten I'll start. It's a tradeoff for me - phone number is a personal information that I'm unwilling to provide to 3rd parties like Google, Facebook, Microsoft etc. who seem to be in business of collecting such info. And the gain is some extra security, and not that much since by far the biggest threat to me is someone getting hold of my phone.

 

[Imp]

Aw damnit. I forgot to bring a temporary code with me to work, now I can't log in to my Gmail -- stopped bring my cell phone everyday a while back because it's bulky.