5 Million Gmail Addresses, Passwords Leaked (Update)

It's good news/bad news time. The bad news is that someone got his or her hands on nearly 5 million Gmail addresses and corresponding passwords and made them all public. The good news is that even if your Gmail address is on the list, the password may not be your Google password, and may also be too old to merit much concern.

The Russian tech blog Habrahabr theorizes that the leaked Gmail addresses and passwords were most likely compiled through phishing scams, use of weak passwords and other common compromises, not as a result of a hacked Google server. Similar databases of email addresses and passwords from Yandex and Mail.ru, two popular Russian-language services, were made public earlier this week.

As a result, many of the "Gmail" passwords may instead be for third-party accounts for which the Gmail addresses were simply entered as usernames. If the affected individuals used one password for Google, and other passwords for third-party accounts, they should be fine.

MORE: Best Free PC Antivirus Software 2014

You can use a site called, appropriately enough, "Is my email leaked?" if you'd like to see if your Gmail, Yandex or Mail.ru address is on the list. The site itself is safe, and you can even give a shortened version of your email address with asterisks if you're concerned.

Earlier today (Sept. 10), Australian security researcher Troy Hunt tweeted that he'd soon be adding the Gmail addresses to his own haveibeenpwned.com compromised-email checking website, which aggregates the results of large password dumps.

Based on an informal poll of the Tom's Guide New York office, not that many people seem to be affected by this data dump. This makes sense when you consider that Gmail has more than 500 million users and the password breach affects less than one percent of them.

Many of the passwords on the list seem to outdated, tweeted Peter Kruse of Danish security firm CSIS — some by as much time as three years. If you change your passwords on even a semi-regular basis (as Google recommends), cybercriminals most likely have no way to access your accounts or personal information.

If your Gmail address has been compromised (or even if it hasn't, and you want to be safe), be safe: Change your Gmail password to something totally different, and consider adding two-step verification to your Google account. Change the passwords to any accounts on which you've entered your Gmail address as a contact address.

Otherwise, just remember that password breaches are relatively common and tend to get overblown in mainstream-media coverage.

UPDATE: Tom's Guide contacted Google for comment, and the company responded by directing us toward toward the following blog post.

"We found that less than 2 percent of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts," Google Google Spam & Abuse Team Borbala Benko, Elie Bursztein, Tadek Pietraszek and Mark Risher wrote. "We've protected the affected accounts and have required those users to reset their passwords."

"It's important to note," they added, "that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems. Often, these credentials are obtained through a combination of other sources."

Marshall Honorof is a Staff Writer for Tom's Guide. Contact him at mhonorof@tomsguide.com. Follow him @marshallhonorof and on Google+. Follow us @tomsguide, on Facebook and on Google+.