In the wake of a list of 5 million stolen Gmail usernames and passwords appearing on the Internet, Google says it has locked down all affected accounts. The search giant says that it's detected no breach of its systems that might have resulted in the credential dump and suggests the information came from other sources.

More than just networking - our Fraud Summits provide actionable plans to put to work at your organization. Register Today >

"We're always monitoring for these dumps so we can respond quickly to protect our users. This week, we identified several lists claiming to contain Google and other Internet providers' credentials," Google's spam and abuse team says in a "cleaning up after password dumps" blog post.

The information reportedly first surfaced on Russian cybercrime forums, and was soon circulating via file-sharing sites and BitTorrent. "It's important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems," the company says. "Often, these credentials are obtained through a combination of other sources."

Many of the leaked credentials appear to be at least three years old, and to relate primarily to U.S. and U.K. users, according to a Danish language analysis of the password dumps published by Peter Kruse, an e-crime specialist at security firm CSIS Security Group.

Google says most of the leaked credentials would have posed little risk to Google service users. "We found that less than 2 percent of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts," the company reports. "We've protected the affected accounts and have required those users to reset their passwords."

Security experts have commended Google for quickly reviewing the leaked data and locking down at-risk accounts in the wake of the credential leak. "Kudos to Google for analyzing the contents of the password dump and releasing information in a blog post following disclosure," London-based Gavin Millard, who's the European, Middle East and Asia technical director at Tenable Network Security, tells Information Security Media Group. "Follow their good advice and use two-step verification for login, if you don't already, to protect your account."

Leak Source Remains Unknown

The question of where the dumped credentials originated remains unanswered, although many security experts suspect they were amassed using a combination of phishing e-mails, botnet-backed malware infections on consumers' PCs, and hacks of third-party sites, all of which would have captured numerous credentials, not just related to Gmail users.

"The leaked passwords are more than likely from a larger cache, probably multiple ones, that an enterprising hacker spent a few minutes 'grepping' through for @gmail addresses," says Millard, referring to the Unix command-line utility grep, which can be used to search plain text for data that matches a given expression. "It's pretty common following a password dump that they are searched through for useful domains like corporate addresses for further exploitation."

If the dumped credentials didn't come from a breach of Google's systems, that means the leaked passwords associated with the Google usernames - which also function as Gmail addresses - were likely created for other sites. But because many people reuse their passwords across multiple sites, the risk now is that attackers could use the leaked credentials to log into any site at which a user registered using their Gmail address and the reused password.