Hackers recently posted 5 million Gmail username and password combinations on a Russian internet forum, making a wealth of users' personal information available to other cyber criminals. Google says that many of the password-username pairs were out-of-date, and that only an estimated 2 percent - representing about 100,000 users — were active credentials that would have allowed a hacker to log into accounts. The search engine giant says it has already contacted all of those whose security was directly compromised, asking them to update their information.
It appears that the password leak was not the result of a breach at Google itself. Rather, hackers may have gotten the data from other, less secure websites that collected users' Gmail addresses. For example, many retail companies allow you to use your email address as your username when online shopping. If you use the same password across accounts, a cyber criminal who hacks the retail site now has access to your Gmail account login information as well.
As Google points out in a public statement, these kinds of leaks are not going away any time soon.
"One of the unfortunate realities of the Internet today is a phenomenon known in security circles as 'credential dumps' - the posting of lists of usernames and passwords on the web," the company writes. "We're always monitoring for these dumps so we can respond quickly to protect our users."
While this particular leak is receiving a great deal of media attention, other credential dumps - most of which occur in dark, shadowy and obscure corners of the Internet — may very well go undetected by Google and the general public. That's why this story is such an important reminder to take aggressive steps to guard your privacy, rather than just relying on the vigilance of others.
Here are some lessons we can learn from the Gmail password leak:
Complex passwords: Passwords should not contain names or words, even if they are spelled backward. They are simply too easy for hackers to crack. The best codes use a seemingly random combination of lowercase and capital letters, symbols and numbers. Some people like to use mnemonic phrases to help them remember their passwords. (If your password is maM83c!G4h, then your mnemonic device could be "my aunt Mabel ate three cupcakes! Good for her.")
Two-factor authentication: When available, you should always enable two-factor authentication. This allows sites like Gmail to install an extra layer of digital security to protect your account. Share your cell phone number with Google and when you log into an unfamiliar device with your username and password the company will text you a confirmation code. You must enter this code on the computer, tablet or smartphone to verify your identity. Even if hackers did obtain your username and password, two-step verification would likely prevent them from accessing your personal files. This way you are also alerted if someone tries to sign into your account without your knowledge.
Unique passwords: Perhaps the single greatest mistake you can make when it comes to your online security is repeating passwords across accounts. Imagine that hackers successfully circumvent the security system of your favorite online retailer or social media site. If you only use one password, then the cyber criminals now have access to your email, online banking and cloud accounts. If, on the other hand, you use unique passwords across sites, then you have managed to thwart the hackers and contain further damage to your digital identity. Consider using a password manager like SafeConnex to keep track of all of your various access codes, storing them in a secure, easy-to-use digital vault.