Google Gmail users told to change passwords after five million accounts were compromised

Russian hackers release login names and passwords of five million Google Gmail users

Google has become the latest company to suffer an embarrassing security breach when Russian hackers released the user name and passwords of five million Gmail users.

According to Russian technology blog Habrahabr, the compromised information was most likely gleaned via a combination of phishing expeditions and the use of weak passwords by Gmail users, rather than the compromise of Google hardware.

Researchers at Danish security specialists CSIS claim to have analysed the data and have suggested that some of it is up to three years old, based on correlations with past leaks. The account holders are mostly English, Russian, and Spanish.

A user going by the alias "tvskit" posted the archive file on Bitcoin security forum btcsec.com, claiming that more than 60 per cent of the credentials were valid. Similar databases of email addresses and passwords from popular Russian language email services Yandex and Mail.ru were published earlier this week.

The breach is serious because the Gmail password might unlock access to a range of Google features, including Google's Drive cloud service and even the mobile payment system, Google Wallet.

Users concerned that they may have had their Gmail passwords leaked can check its status on "Is my email leaked". Gmail users have also been advised to change their passwords as a precaution.

Security experts have also advised that users should adopt two-factor authentication using their mobile phone numbers - if they feel comfortable giving information giant Google what is effectively a personal serial number to add to its database.

In a blog posting, Google admitted the "credential dump", but was keen to reassure users that it was not as a result of a security lapse by the internet giant.

"It's important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems. Often, these credentials are obtained through a combination of other sources," claimed Google.

The posting also suggested: "We found that less than 2 per cent of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We've protected the affected accounts and have required those users to reset their passwords."