Speculation was high yesterday in the wake of a Russian news outlet's report that some 5 million Google usernames and passwords had been "doxed" or dumped online for all to see.
Google set the record straight late yesterday that no breach of Google systems had occurred and most of the dumped credentials were stale: less than 2% of the credentials actually work. The search engine giant says its automated anti-hijacking systems would have blocked any attempts to use any working stolen credentials.
"One of the unfortunate realities of the Internet today is a phenomenon known in security circles as 'credential dumps' -- the posting of lists of usernames and passwords on the web. We’re always monitoring for these dumps so we can respond quickly to protect our users," Google said in a blog post.
Google reiterated what most security experts already had inferred: that the stolen usernames and passwords were not the result of a Google breach, but instead due to everything from credential reuse on the web to possible malware and phishing attacks.
"For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others. Or attackers can use malware or phishing schemes to capture login credentials," Google said.
Google recommends users adopt its two-factor authentication option, as well as create a strong and unique password.
Said David Hobbs, director of security solutions at Radware, businesses and consumers should now expect their personal information to be leaked at some point. "Users need to keep in mind that the best defense is a good offense -- minimize your vulnerability by thinking twice about what data is placed in the cloud," Hobbs says. "Also, the standard best practices hold true: stop using the same passwords across multiple online services, and create a rotation plan for regularly changing passwords."