The news that “5 million Gmail passwords were hacked” caused worldwide consternation when it first broke on Wednesday, but as more information comes to light, it appears the news isn't quite as bad as initially feared – although, by modern hacking standards, “Not as bad as initially feared” still leaves plenty of room for badness.
That said: if you have a Gmail account and worry the hacking might affect you, you probably have nothing to fear — provided your Gmail account has an exclusive password you don't use anywhere else. On the other hand, if you use the same password across multiple accounts, that's when you need to worry — and remind yourself of the well-known online safety rule “Never use the same password across multiple accounts.”
Here's a summary of the major points known so far: first of all, it appears that Gmail itself was not hacked — the hackers never actually gained access to the Gmail database and information therein.
Discussion forums
Instead, this appears more like the StubHub “hacking” discovered last July: identity thieves gained fraudulent access to over 1,000 StubHub accounts, without ever breaking into the StubHub database. The hackers had broken into and stolen passwords from various other websites, discussion forums and password-protected online places, and discovered that at least some of those stolen passwords worked in the victims' StubHub accounts, too.
It does appear that when hackers successfully steal the password to one of your accounts, they'll try plugging that password into your other accounts on the off-chance it will work. Where over 1,000 StubHub customers last summer were concerned, it did. And it might have worked for upwards of 5 million Gmail accounts, too.
Or maybe not. What actually happened? On Tuesday evening, someone in a Russian Bitcoin forum posted a list of 5 million stolen Gmail-connected passwords. The passwords apparently came not from Gmail itself, but from various registration-required sites where people used a Gmail account to register. The Western media discovered and reported that list late in the afternoon of Wednesday, Sept. 10.
Can't confirm
But there was something strange about those passwords: most of them were useless from an ID thief's perspective, because they were too old and out-of-date.
Mashable.com reported late Wednesday evening that “We can't confirm the authenticity of all the email addresses on the list, but a Mashable employee, Evan Engel, saw that his old Gmail password, which he hasn't used in years, is part of the leak.”
Engel and Mashable weren't the only ones to find outdated information on the list; plenty of people on Twitter did too. For example, Ben Ten @Ben0xA tweeted “That gmail dump looks very old folks. Can confirm a dummy account w/ password that was already changed twice. Dump has original pw.”
Here's how the hack apparently worked. Suppose that, many years ago, your Gmail password was 12345 (which, by the way, is a very weak password choice that you should never use in real life). Then you used that Gmail account to register with – well, any website requiring an email address to register: posting comments on your local newspaper's online stories, joining a discussion forum about your favorite hobby or musician, whatever.
And suppose further that when you used your Gmail address to register with that website, you ignored or did not know the “Never use the same password across multiple accounts” rule, so you used your Gmail address to register with DiscussionForum.com, using the password 12345 for both.
But over the years since then, you've had to change either your Gmail password, your DiscussionForum.com password, or maybe both.
Presumably, the hackers at some point managed to break into the DiscussionForum.com database and stole your name, Gmail address and your old 12345 forum password. They did not actually steal your Gmail password — unless you were foolish enough to use your DiscussionForum.com password as your Gmail password too.
So why did the hackers in that Russian Bitcoin forum bother stealing and posting these antique passwords anyway? Probably to show off and gain status among their fellow hackers. A senior advisor for the online security firm Sophos told Mashable that he doubted many of the posted accounts would still be valid: “There is no honor among thieves as they say, and often stunts like this are released as a sad attempt at gaining credibility among other criminals.”
The news that “5 million Gmail passwords were hacked” caused worldwide consternation when it first broke on Wednesday, but as more information comes to lig...