If you’re a Google Gmail user, this is bad news. An archive of about 5 million Gmail addresses and plain text passwords was leaked to an online forum. The good news is the data is old, but better security is still needed.
CSIS Security Group, a Danish security company that offers cybercrime intelligence to law enforcement agencies and financial institutions, claims it collected a “large data set” containing a massive data leak associated with Gmail. The firm pegs the number of accounts at just over 5 million and said the leak seemed to come from sources beyond Google.
Peter Kruse, chief technology officer at CSIS, pointed out that a similar data leak associated with the Russian Web mail service Mail.ru also found its way into the public eye last week. Millions of accounts from Mail.ru were dumped online. CSIS believes the Gmail data came from the same source that leaked the Mail.ru data.
“This episode illustrates that security is now a major, ongoing headache for consumers who will have to live with regular data breaches,” Greg Sterling, Vice President of the Local Search Association, told us. “They will thus be forced to change passwords and confront more burdensome multiple-factor authentication systems as publishers and e-commerce sites implement stricter and more Byzantine security measures in the new cat-and-mouse world of hacking.”
We also asked Craig Young, a security researcher at security firm Tripwire, to weigh in on the data leak. He told us, quite frankly, he’s surprised this incident is receiving attention considering there’s no indication that the compromised passwords came directly out of Google’s system. It’s likely that a variety of Web sites failed to properly secure user credentials and someone just picked out all the Gmail accounts for resale on the underground, he said.
“The unfortunate reality is that the state of Web security is light years behind where it needs to be, resulting in an Internet where a teenager can compromise hundreds of Web sites in a matter of days just using Google and a hacking tool like sqlmap,” Young said. “Spoils from such hacks are commonly traded on underground forums in exchange for digital currency, access to other systems, or simply for prestige.”
As Young sees it, Google’s two-step verification is a very helpful tool for protecting Gmail accounts. Unfortunately most, if not all, two-factor authentication systems still have a fundamental weakness because the authentication process typically leads to an all-powerful session token which, when hijacked, can give attackers the same permissions on a target system as if they had successfully logged in with two-factor authentication, he added.
“This problem was recently highlighted in a breach of Juniper VPN technology leveraging the Heartbleed attack to collection session tokens and bypass authentication on the target,” Young said. “The fact that three-year-old passwords are being leaked also serves as a reminder why it is important to periodically change passwords. The fact that a small percentage — less than 2 percent — are still valid Google credentials only serves as a reminder that too many consumers reuse passwords and don’t change them frequently enough.”
Finally, Ken Westin, a security analyst at Tripwire, told us this leak reveals the troubling truth regarding the large amount of data available to criminal groups as a result of unreported breaches. He noted the data breaches we hear about really are just the tip of the iceberg when it comes to the full amount of stolen credentials, credit cards and other data available to cybercriminals.
“Many breaches are never detected, so the target organization is unaware of the compromise and it goes unreported,” he said. “In addition, user credentials are routinely harvested in phishing attacks and aggregated over years and then sold through underground markets.”