Google users are being urged to change their passwords in the wake of 5 million stolen credentials surfacing on Russian cybercrime forums.

Electronic-crime specialist Peter Kruse at CSIS Security Group in Copenhagen, Denmark, is one of several security experts who have spotted a leak of data involving millions of credentials from Google and other webmail providers.

What's not yet clear, however, is where the stolen information comes from, or how old it might be. "Some [credentials] have been confirmed to be three years old and some [are] suspected to be even older," Kruse tells Information Security Media Group. As a result, any Google users whose details were compromised might not be at risk of account takeovers, provided they've changed their passwords in the last three years.

The stolen information has surfaced on multiple cybercrime forums. "They were distributed to several Russian forums and then shared through different file-sharing services," Kruse says. "The origin/source of the leak is still unknown. Our best guess is that it comes from various sources."

A Google spokesman says there's no indication that the information in circulation is the result of a hack against its systems. "The security of our users' information is a top priority for us," he says. "We have no evidence that our systems have been compromised, but whenever we become aware that accounts may have been, we take steps to help those users secure their accounts." Notably, the service already alerts users to unusual account activity - including changes in a user's log-in location, or the device they're using - and offers a two-factor authentication system, which would block any unauthorized log-in attempts using stolen credentials.

Multiple individuals whose Google account usernames - which double as Gmail e-mail usernames - appear in the data dump have reported that the leaked passwords date from some time ago. "It has my address in there, but with a password I haven't used in 7 or 8 years," says one commenter in a related Reddit thread.

A related 109MB text file is circulating on the Internet that lists the nearly 5 million Google usernames - and thus Gmail addresses - affected, although it redacts the stolen passwords. Reportedly, some dumps of the stolen data that include both the usernames and passwords are also now in circulation, beyond the cybercrime forums on which they first appeared.

Data Leak: Huge

The trove of about 5 million leaked Google account credentials is a significant data breach, says Morten Kjaersgaard, CEO of endpoint security vendor Heimdal Security, which is owned by CSIS Security Group.

"Normally, you don't think 5 million is that much, because you hear 5 million here, and 5 million there - but that's a lot of data shifting around in hacker communities," Kjaersgaard says. Furthermore, the stolen Google credentials that have come to light may represent only a fraction of what was stolen. "There could be a lot more than just this 5 million. It could be that this was just a dump that was sold to someone [by the hackers] and placed on a forum, but the actual dump could have been 50 million - who knows?"

#Gmail #leak of 5 million accounts confirmed legit. They likely originates from various sources. Most passwords more than 3 years old.

Precautions to Take

In the wake of the stolen Google credentials surfacing, Kjaersgaard recommends users "regularly change your passwords - once per month, for example - and use different credentials for every site," so that hackers can't use dumps of stolen data to log into accounts on other sites.

The stolen Google data comes to light in the wake of a high-profile breach of celebrity Apple customers who used its iCloud service to back up their mobile devices.