Word that Russian hackers posted nearly 5 million Gmail usernames and passwords to a shadowy bitcoin forum pushed much of the Internet into a panic Wednesday. Many of Google’s hundreds of millions of users scrambled to see if they were among those victimized, though that very act was a risk because of the number of phishing sites aiming to take advantage of the situation.
Many of the log-in credentials included in the database were likely snagged in old hacks, with security experts speculating that hackers were able to find an individual’s information only after infiltrating another one of their online accounts and then trying that combination on Google (NASDAQ: GOOGL). A sizeable amount of passwords likely came from outdated accounts on older sites, including Friendster and eHarmony.
Google confirmed as much in a security statement Wednesday evening, deeming the breach one of those “unfortunate realities of the Internet today” while advising all users to change their passwords frequently regardless.
“We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts,” the company said. “It’s important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems.”
Still, ominous headlines like “5 Million Gmail Usernames, Passwords Hacked” contributed to a sense that some kind of devastating security lapse at hand. Google users, and there are hundreds of millions of them around the world, began seeking websites that could simply tell them whether or not their identity was included on the list in question. Of the sites available the one to find the most traction online was IsItLeaked.com.
Is It Leaked debuted on Sept. 8, a date that initially seemed suspicious as it was launched 24 hours before the first evidence of the Russian hack appeared online. Yet the site’s administrators calmed the public’s nerves when they told reporters that Is It Leaked was actually launched for Russians who were trying to discover if their information was ensnared in a similarly wide-ranging hack on Mail.ru and Yandex, a very popular Russian Internet email server.
But little is known about the site’s founders, who only described themselves as a “small team of IT specialists” whose location is unknown. While the site does not require visitors to check if their information was involved, it’s possible that the page is generating a database of addresses to sell or use for spamming efforts at a later date.