gmail passwords leaked

[Gooberlx2]

Welp, leaked results were right on my account. Enabled two step and changed pw. Wasn't a fan of two step when it first came out felt like a pain in the ass to use across multiple devices.

It's pretty painless for the sites that implement it well...basically everyone that uses Google Authenticator.

Paypal's implementation, OTOH, is fairly retarded and doesn't even work with their own apps.

 

[bradley]

One of my five Gmail accounts produces a 502 bad gateway error, weird. LastPass is telling me I last changed my password in 2008, so I updated it with a 100 character password, including special characters.

 

[ElFenix]

why doesn't gmail have automatic logout?

 

[Saimon]

it may not be your gmail password that was leaked ...
http://lifehacker.com/5-million-gmail-passwords-leaked-check-yours-now-1632983265

Update 2: We still aren't sure how these passwords were leaked or when—but some folks over on Reddit discovered that these may not, in fact, be Gmail passwords, but passwords leaked from other web sites over the years that were associated with Gmail addresses.

Mine was apparently leaked, but not my Google password. It was my Microsoft password, which uses my gmail address as a username.

Both accounts have two-factor authentication, so I'm not worried, and I suppose that password was pretty weak to begin with.

 

[rh71]

... and a whole buncha people learned about 2 factor authentication today.

 

[It's Not Lupus]

You don't want to enter your email into some random site. It could be added to some spammer's list.

You could download the archive/text file itself and ctrl+f for your address.

 

[Gooberlx2]

why doesn't gmail have automatic logout?

What do you mean? Like logging a session out after X minutes of inactivity?

 

[SlitheryDee]

You don't want to enter your email into some random site. It could be added to some spammer's list.

You could download the archive/text file itself and ctrl+f for your address.

Engaget is a pretty reputable site though. I assume they wouldn't link you to a site that is planning to sell your information to spammers. I could be wrong though.

 

[amddude]

I feel pretty confident these aren't gmail passwords, but are from other places.

 

[Markbnj]

isleaked.com

That's the link you go to to check if your password was one of the ones leaked. I'm curious to see if any ATOTer's account got leaked. Apparently mine wasn't.

Also: Two factor authentication. Use it. Live it. Believe in it.

Those test your password sites should obviously only be used after you have changed the password you're testing. I don't think it would be too hard for them to connect you with a google email address.

 

[Ken g6]

I downloaded the full list of emails (without passwords) from https://mega.co.nz/#!rgFDDRSD!QyyLxZNnR8i9fF_aNkKI-wUIUV3fjX5o0dxdl-bE3zQ

The funny thing is, my email is on there minus one letter. If my email was my_email_address@gmail.com, the one on there would be my_email_addres@gmail.com. Now I wish I knew what the password associated with that was. :hmm:

 

[BoomerD]

None of my gmail addresses are listed as compromised...never the less, I set up 2 step authentication.
I suspect it's gonna be a PITA later.

 

[Red Storm]

... and a whole buncha people learned about 2 factor authentication today.

*Earlier at Google*

Engineer 1: We need to get our 2 factor authentication numbers up!

Engineer 2: I have an idea...

 

[Crono]

I hope more people turn on two-factor rather than ignore this as just another large leak.

 

[Fritzo]

Like four years ago I sat down and had a beer with an IT Security guy and asked him what the most important thing for individuals to do to protect themselves was.

"Two factor authentication. Lock down your primary email address."

Been using it ever since.

This is true. Your primary email is the key to every other piece of information about you. If they can get in there, they can see you're getting emails from banks, financial institutions, social media accts, etc. They can then issue reset pwd requests from those locations and get access to everything you own on the Internet.

Think about that the next time your mom wants to use "password1" for her password.

 

[bradley]

*Earlier at Google*

Engineer 1: We need to get our 2 factor authentication numbers up!

Engineer 2: I have an idea...

Google was affected by Heartbleed; Chrome was extremely porous and accepted most OpenSSL compromised certificates. If Heartbleed didn't warrant your attention, this should... as they are perhaps interrelated.

Too bad two-step authentication is such a pain and won't play nice with most apps.

 

[Fritzo]

I downloaded the full list of emails (without passwords) from https://mega.co.nz/#!rgFDDRSD!QyyLxZNnR8i9fF_aNkKI-wUIUV3fjX5o0dxdl-bE3zQ

The funny thing is, my email is on there minus one letter. If my email was my_email_address@gmail.com, the one on there would be my_email_addres@gmail.com. Now I wish I knew what the password associated with that was. :hmm:

Who uses 7z to compress files? Seriously.

 

[TallBill]

Google was affected by Heartbleed; Chrome was extremely porous and accepted most OpenSSL compromised certificates. If Heartbleed didn't warrant your attention, this should... as they are perhaps interrelated.

Too bad two-step authentication is such a pain and won't play nice with most apps.

I've had no issue getting 2 step to work on any device or app.

 

[bradley]

Who uses 7z to compress files? Seriously.

7z is open and supported by various archivers.

http://www.tomshardware.com/reviews/winrar-winzip-7-zip-magicrar,3436-13.html

However don't expect Windows Notepad to open the text file with any reliability.

I've had no issue getting 2 step to work on any device or app.

Good to know. Although I did have problems getting it to work with Windows Live Mail.

 

[Crono]

I've had no issue getting 2 step to work on any device or app.

Yeah, I've been using two-factor/2-step authentication for a while now via Google's and Microsoft's Authenticator apps without issues. I actually like the QR code scanning process, and it's pretty cool seeing the 8 or so codes on my phones refresh every 30 seconds. The good thing about using QR for the verification is that you can print a backup of the private key (works a lot like Bitcoin or other cryptography implementations in that respect).

It adds about 10 seconds to the login process, but it's worth it for the added security. And if you use a password manager you save some time by not having to manually enter your (hopefully random and unique per-site) passwords.

 

[KillerBee]

looks like that 'isleaked' site is suspicious:

IsLeaked registered 2 days before Gmail leak public
http://jameswatt.me/2014/09/10/isleaked-com-registered-2-days-before-gmail-leak-public/


Edit: a commenter explains why it was probably created 2 days before:

another possibility is that isLeaked.com was registered on the 8th was that is was first created for a similar leak on Yandex and Mail.Ru that was first reported about two days ago. IsLeaked does mention that they also provide a lookup tool for these sites as they do for Google.

 

[DrPizza]

Wow, I set up 2-factor so long ago, that it didn't even have my current phone number. I had forgotten that I had ever set it up.

What's weird, is wondering how google knows my current computer is a trusted computer. I.e., to change the phone number for 2 factor identification, all I needed was my password. If someone, somewhere, managed to get my password, what's to stop them from simply changing the phone number??

And, lastly, crap. It's been so long, I can't remember my password!

 

[Crono]

Wow, I set up 2-factor so long ago, that it didn't even have my current phone number. I had forgotten that I had ever set it up.

What's weird, is wondering how google knows my current computer is a trusted computer. I.e., to change the phone number for 2 factor identification, all I needed was my password. If someone, somewhere, managed to get my password, what's to stop them from simply changing the phone number??

And, lastly, crap. It's been so long, I can't remember my password!

They can't change the phone number without first inputting a security code. If you lose your phone and try to change it yourself, Google makes you go through a more complicated account retrieval process.

If you have your phone right now, you can change your password, though.

 

[irishScott]

Well I'm not on the list, not that I expected to be as there wasn't a breach.

I use keepass, so my password is 40 random characters. It's also sweet to never have to type in a password, just copy and paste. Never have to enter a password twice because my finger slipped. Sounds like a small thing, but it's made logins a lot smoother.

 

[Gooberlx2]

Wow, I set up 2-factor so long ago, that it didn't even have my current phone number. I had forgotten that I had ever set it up.

What's weird, is wondering how google knows my current computer is a trusted computer. I.e., to change the phone number for 2 factor identification, all I needed was my password. If someone, somewhere, managed to get my password, what's to stop them from simply changing the phone number??

And, lastly, crap. It's been so long, I can't remember my password!

When's the last time you logged in to your google account on that machine? With two-step on, it should only be trusted for 30 days with google. Google does have the option to add a phone number or other email address for account recovery, without enabling two-step auth, so are you sure it was actually enabled?

With two-step on, they should need an access code to even log into your account, and thus couldn't change any settings in the first place.