Millions of Google Credentials Leaked

Almost five million gmail credentials were posted to a Russian language bitcoin forum a few days ago. Google’s official position is that these credentials were harvested externally and that gmail itself does not have a vulnerability that has allowed credential disclosure.

This seems like a reasonable position given the limited (relative to the massive number of gmail users) number of credentials leaked. I believe the list was harvested through the use of password stealing malware or through social engineering (e.g. phishing) and/or a combination of such techniques. Some of the leaked passwords appeared unlikely to have been dictionary cracked so a leak of hashed passwords from Google looks even more unlikely.

UPDATE: A site has appeared – (unfortunately also Russian language) to allow concerned users to search the list of leaked credentials to see if they are affected. I would not personally enter my gmail address into a web resource published by an unknown party, as while the author’s intent may be benevolent it is also equally likely that form submits are being harvested for unsolicited email lists.

UPDATE: PC World and the mainstream tech media have taken up the story.