Almost five million GMail email address and password combinations have been posted online on a Russian Bitcoin forum.
Google says that there was “no evidence” that its systems had been hacked, security analysis of the list by Google engineers found that only around 2% of the combinations worked to access GMail accounts.
The search giant has requested that customers in that 2% reset their passwords and has protected their accounts, but said that the security leak has come from one or more other sites where users use their GMail email address as a username or phishing attacks on users.
A number of Reddit users found that their GMail email addresses were in the leak, but the password associated with the address was used for other sites and not accessing their Gmail accounts.
Further investigations discovered that some email addresses are followed by a “+” sign and the name of a website were in the leaked list (some GMail users use +word in their email addresses, such as firstname.lastname@example.org, for certain sites to help filtering emails). These words point to the hacked addresses coming from websites including friendster, filedropper, xtube and freebiejeebies.
While the source or sources of this leak is currently unconfirmed, users can check whether their email address and password has been leaked by using the Is Leaked? tool, and everyone is reminded not to use the same password for multiple websites and services.