It was reported that a database containing usernames and passwords for almost five million Google accounts emerged on a Russian forum. Google themselves blogged yesterday to say that less than 2% of the username and password combinations might have worked, and their automated anti-hijacking systems would have blocked many of those login attempts. Commenting on this, Lancope CTO, TK Keanini, said:
"Before I make any statement, two action items are necessary:
If a website offers two factor authentication (2FA), use it now.
If they don’t, pester them until they do
Change all your single factor authentication passwords now
If you are not using a password manager, use it now.
The only thing that makes 5,10, or even 20 million stolen accounts useful is when they work, and by changing the password or moving to 2-factor authentication, you bring the value of these leaked accounts to zero! Do your part in making it harder for the bad guys.
There is some pretty solid evidence that this was not a attack on Google directly, as users have reported that accounts were from 20+ other sites on the Internet dating back 2008. If you are still using the same password for an account you established in 2008, you have a near zero chance of it being secure. Many of these sites are PHP based, so it may be a zero day in PHP, or I would not be surprised if this is just the aggregation of years of phishing and Heartbleed attacks as those two alone could have generated these types of numbers over the years."