Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations //

Identity & Access Management

9/11/2014
10:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Google: No Breach In Latest Online Dump Of Credentials

The online leak of some 5 million username and password combinations consisted of mostly stale or older credentials that don't actually work, Google says.

Speculation was high yesterday in the wake of a Russian news outlet's report that some 5 million Google usernames and passwords had been "doxed" or dumped online for all to see.

Google set the record straight late yesterday that no breach of Google systems had occurred and most of the dumped credentials were stale: less than 2% of the credentials actually work. The search engine giant says its automated anti-hijacking systems would have blocked any attempts to use any working stolen credentials.

"One of the unfortunate realities of the Internet today is a phenomenon known in security circles as 'credential dumps' -- the posting of lists of usernames and passwords on the web. We’re always monitoring for these dumps so we can respond quickly to protect our users," Google said in a blog post.

Google reiterated what most security experts already had inferred: that the stolen usernames and passwords were not the result of a Google breach, but instead due to everything from credential reuse on the web to possible malware and phishing attacks.

"For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others. Or attackers can use malware or phishing schemes to capture login credentials," Google said.

Google recommends users adopt its two-factor authentication option, as well as create a strong and unique password.  

Said David Hobbs, director of security solutions at Radware, businesses and consumers should now expect their personal information to be leaked at some point. "Users need to keep in mind that the best defense is a good offense -- minimize your vulnerability by thinking twice about what data is placed in the cloud," Hobbs says. "Also, the standard best practices hold true: stop using the same passwords across multiple online services, and create a rotation plan for regularly changing passwords."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
soozyg
50%
50%
soozyg,
User Rank: Apprentice
9/11/2014 | 9:29:07 PM
a realistic statement
Said David Hobbs, director of security solutions at Radware, businesses and consumers should now expect their personal information to be leaked at some point

I like this statement! Because no program, no coding is ever truly safe, someone's always going to try to get in. So, people should just calm down about it...we should EXPECT our information to be breached, not surprised. Great quotation.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/12/2014 | 6:27:30 AM
Re: a realistic statement
Agreed. We've been saying this about businesses for some time now, but it's also true for consumers. So it's a wise and realistic perspective for consumers to adopt as well. 
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
9/17/2014 | 9:47:29 AM
Re: a realistic statement
I agree, in today's world there is no way to 100% insulate yourself from a breach.  Well, unless you deal only in cash, don't go to the doctor, dentist or do business with anyone who needs to know your name.
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1001
PUBLISHED: 2019-11-21
Multiple cross-site scripting (XSS) vulnerabilities in Chyrp before 2.1.2 and before 2.5 Beta 2 allow remote attackers to inject arbitrary web script or HTML via the (1) content parameter to includes/ajax.php or (2) body parameter to includes/error.php.
CVE-2014-8356
PUBLISHED: 2019-11-21
The web administrative portal in Zhone zNID 2426A before S3.0.501 allows remote authenticated users to bypass intended access restrictions via a modified server response, related to an insecure direct object reference.
CVE-2015-3140
PUBLISHED: 2019-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Synametrics Technologies SynaMan before 3.5 Build 1451, Syncrify before 3.7 Build 856, and SynTail before 1.5 Build 567
CVE-2019-19207
PUBLISHED: 2019-11-21
rConfig 3.9.2 allows devices.php?searchColumn= SQL injection.
CVE-2019-19203
PUBLISHED: 2019-11-21
An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is dereferenced without checking if it passed the end of the matched string. This leads to a heap-based buffer over-read.