UPDATE–Nearly five million email addresses along with a list of passwords said to correspond with those email addresses showed up on a Russian-language Bitcoin security forum forum last night. Most of the email addresses belong to Gmail users.
While the source of the email addresses and the relationship of the passwords to them remain unclear, a number of sources have either identified or recognized the legitimacy of many of the addresses included in the dump. That said, a number of the addresses are believed to be quite old and in some cases either suspended or deactivated.
The Daily Dot is reporting that Google told Russian media sources that much of the information is old, likely gathered from a series of hacks and phishing attacks over the last five years or so. If that is true, it would quell the notion that the long list of Gmail addresses were ascertained in a recent attack on Google or some other service storing these addresses.
Anecdotal reports also suggest that the email addresses may have been obtained in a data breach that occurred several years ago. At least one commenter in the network security sub-Reddit noted that the password paired with his Gmail account was one that he hadn’t used in more than seven years. Another commenter claimed to recognize one the corresponding passwords but said he had never used that particular password for his Gmail account, though he had used it for another online account. Of course, these claims could not be independently verified.
A cursory look through the list of email addresses reveals that, in addition to Gmail, there are several Yandex, mail.ru, Yahoo and Hotmail addresses as well.
Google security officials said that they had been aware of the password and email address dump for a few days and already had taken action to protect any Gmail accounts that may have been affected.
“We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords,” Google officials said in a post Wednesday.
“It’s important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems. Often, these credentials are obtained through a combination of other sources.”
This story was updated on Sept. 10 to add Google’s comments.