Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations //

Identity & Access Management

9/11/2014
10:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Google: No Breach In Latest Online Dump Of Credentials

The online leak of some 5 million username and password combinations consisted of mostly stale or older credentials that don't actually work, Google says.

Speculation was high yesterday in the wake of a Russian news outlet's report that some 5 million Google usernames and passwords had been "doxed" or dumped online for all to see.

Google set the record straight late yesterday that no breach of Google systems had occurred and most of the dumped credentials were stale: less than 2% of the credentials actually work. The search engine giant says its automated anti-hijacking systems would have blocked any attempts to use any working stolen credentials.

"One of the unfortunate realities of the Internet today is a phenomenon known in security circles as 'credential dumps' -- the posting of lists of usernames and passwords on the web. We’re always monitoring for these dumps so we can respond quickly to protect our users," Google said in a blog post.

Google reiterated what most security experts already had inferred: that the stolen usernames and passwords were not the result of a Google breach, but instead due to everything from credential reuse on the web to possible malware and phishing attacks.

"For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others. Or attackers can use malware or phishing schemes to capture login credentials," Google said.

Google recommends users adopt its two-factor authentication option, as well as create a strong and unique password.  

Said David Hobbs, director of security solutions at Radware, businesses and consumers should now expect their personal information to be leaked at some point. "Users need to keep in mind that the best defense is a good offense -- minimize your vulnerability by thinking twice about what data is placed in the cloud," Hobbs says. "Also, the standard best practices hold true: stop using the same passwords across multiple online services, and create a rotation plan for regularly changing passwords."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
9/17/2014 | 9:47:29 AM
Re: a realistic statement
I agree, in today's world there is no way to 100% insulate yourself from a breach.  Well, unless you deal only in cash, don't go to the doctor, dentist or do business with anyone who needs to know your name.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/12/2014 | 6:27:30 AM
Re: a realistic statement
Agreed. We've been saying this about businesses for some time now, but it's also true for consumers. So it's a wise and realistic perspective for consumers to adopt as well. 
soozyg
50%
50%
soozyg,
User Rank: Apprentice
9/11/2014 | 9:29:07 PM
a realistic statement
Said David Hobbs, director of security solutions at Radware, businesses and consumers should now expect their personal information to be leaked at some point

I like this statement! Because no program, no coding is ever truly safe, someone's always going to try to get in. So, people should just calm down about it...we should EXPECT our information to be breached, not surprised. Great quotation.
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8818
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore...
CVE-2020-8819
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass ...
CVE-2020-9385
PUBLISHED: 2020-02-25
A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
CVE-2020-9382
PUBLISHED: 2020-02-24
An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's } parser function.
CVE-2020-1938
PUBLISHED: 2020-02-24
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that ...