We all like to think our accounts are secure, but every time we hear about a breach we all shudder a little. Well, overnight Time Magazine reported on leak of 4.93 million usernames and passwords, being posted on a Russian Bitcoin security forum late Tuesday.
While the forum where the leak occured, assured that at least 60% of the credentials leaked were in fact active and ready to be ‘used’, the reality is, that that was not the case. As usual, Google was onto the leak and advised that they were aware of the leak and reported on the legitimacy on their Online Security blog, where they said :
We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords.
Google were quick to point out that the leak was not the result of a breach of their security, but most likely a result of malware or phishing used to acquire the details :
It’s important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems. Often, these credentials are obtained through a combination of other sources. For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others. Or attackers can use malware or phishing schemes to capture login credentials.
If the Heart Bleed SSL bug didn’t make you switch over to a password manager with individual passwords for each site, perhaps this will.