A report around a Gmail passwords data breach has sent shockwaves across the Internet. Troy Hunt, a person who runs a website known as Have I been Pwned (HIBP), has claimed that over 183 million Gmail passwords had been breached in a hacking incident that occurred in April this year. He claims that the data came from a broader hacking incident that was aggregated from across the Internet. However, Satnam Narang, Senior Staff Research Engineer at Tenable states that this report may not entirely be true.
Truth About Gmail Passwords Data Breach Issue
“There are reports circulating in the media that 183 million “Gmail” passwords were “stolen” in a breach. However, these claims grossly misrepresent the reality of the situation. Google itself has not been impacted by a breach. Instead, researchers aggregated threat data from a variety of sources, which included 183 million unique credentials tied to various websites, including Gmail,” he says.
Also read: Data Breach Alert – Millions of Android Phones in India Vulnerable
“The source of this data is a combination of data leaked in other breaches, as well as data obtained from information stealers (infostealers), malicious software that is found on compromised machines, which, as the name implies, is designed to steal information, which includes usernames, email addresses and passwords. If a user logs into their Gmail account, financial institution, social media, and other accounts, this information will be captured in these stealer logs,” adds Narang on the Gmail passwords data breach incident.
Also read: AT&T Data Breach – Nearly 73 Million Users Likely Impacted
He further notes: “The researchers compiled a large dataset and this was shared with Troy Hunt of HaveIBeenPwned, a website that catalogues breach data and notifies users that opt-in to the service whenever their email addresses end up in a data breach. Based on Hunt’s findings, the majority of this data (91%) had been seen previously, with around 16.4 million addresses seen for the first time in these stealer logs. Of course, it is important to note that not all of the data here may be valid, so that 16.4 million figure could be lower in nature.”
Narang also mentions that one of the most common challenges when it comes to stolen account credentials is the re-use of passwords: “So when data like this is out there, the main challenge is, if users have re-used those passwords on other websites, an attacker could try to conduct ‘credential-stuffing’ attacks, where they attempt to stuff a bunch of email address/password pairs onto websites to see which ones return a successful login.”
How Can Those Impacted Be Safe?
Narang states: “The safety measures that users can utilise are to start by not re-using passwords, leveraging a password manager, whether it is built into their devices (e.g. Android or iOS), or a third-party (1Password, Bitwarden, etc), and utilising multi-factor authentication, where a second factor is required in order to log in. This includes SMS one-time passcodes, authenticator applications that generate a passcode every 60 seconds, as well as hardware tokens like a Yubikey or Titan Security Key. These are some of the security measures users can utilise to protect their accounts.”
