The user names and passwords to nearly 5 million Google Gmail accounts have been posted in a Russian internet forum, sparking concerns that a new, large-scale hack may have taken place.
Users of Reddit's /r/netsec forum noted that while many of the credentials appear to be valid, the file itself could be a compilation of logins from different, older sources, and not gleaned from Gmail itself.
This includes the giant 2103 Adobe breach that saw up to 38 million credentials being leaked.
The file originated on the Russian forum.btsec.com site overnight but it may have been making the rounds before on other sites, Reddit users suggested.
iTnews has sighted a copy of the file with the user credentials, but not attempted to verify that they work.
Just woke up to 10k visitors an hour on @haveibeenpwned looking for Gmail data - importing now...— Troy Hunt (@troyhunt) September 10, 2014
Several other websites have picked up the credentials archive and set up facilities that allow users to check if their credentials are in the database; users are advised to be careful entering any log in details into websites operated by unknown people, as this may serve to confirm that they are active and lead to accounts collected for spamming.
Earlier this year Google had taken measures to add extra security to its Gmail service by ensuring traffic between the company’s data centres was fully encrypted.
Update 12/09/2014: Google’s abuse team has responded to the credentials dump, saying it has protected the affected accounts as well as required the users of those to reset their passwords.
The abuse team at Google found that less than two percent of username and password combinations in the dumps would have worked. Furthermore, Google said that its automated anti-hijacking systems would have blocked many of the login attempts to those accounts.