By 
Yesterday, we reported on an unfortunate (or fortunate, depending on which way you look at it) episode of an account leak. A database of Gmail accounts was posted to a Russian bitcoin site. This wasn’t a breach (that is, someone sneaking into Google’s servers and getting credentials), but instead a product of many years of phishing and social engineering — that is, tricking people into putting their Gmail username and password into an untrustworthy site.
It could also be the result of a different site getting breached and them putting the email address associated to that account into their nasty database. The latter scenario would only affect your Gmail account if you happen to use the same password across multiple sites, and if you’re doing that then you should stop immediately.
Today, more details have been brought to light. Google confirmed that only a small subset of the accounts in that database were actually affected — less than 2%, according to them — and that they have already taken necessary steps to protect those users. The other accounts are either already purged or they simply don’t exist, so as of now no one should be in danger of having their accounts breached.
At the end this all served as a good reminder to take the time and effort to make sure you’re never being manipulated into giving your username and password to people you don’t know. Check the security certificate of a site before you login to make sure you are actually at that site.
Most web browsers will show a green button with a lock icon which you can click to find out if the website is genuine. This episode also reminds us that it’s never a good idea to use the same password on multiple sites, and that you should be changing your password fairly often (at least once every few months, if not more frequently). And, as always, we recommend setting up 2-step verification on your Gmail account just to have that added peace of mind.
It should be pointed out that it yes it is a bad idea to use the same password on multiple accounts, but this is 100 times more important with your email account as gaining control of that could lead to ALL of your other accounts being compromised (using the forgot my password functionality). I heavily recommend lastpass, it can even autofill in passwords on android apps and in chrome.
It can’t be said enough:
1. Use a password manager (that creates unique, complex passwords for every site)
2. Use Two-Pass authentication wherever it’s available.
Do you have any recommendations of cross-platform password managers that can maintain login information for multiple sites AND have an auto-login feature that works with both websites and native Android apps?
That’s a lot to ask, but considering there are many different platforms to access these sites and services on it’s certainly something I wouldn’t mind having.
But yes, I agree. A password manager is a must.
Personally, I use LastPass. For desktop browsers, it’s free. For Android, they charge a subscription fee — $12/year. I’m currently using it without the Android subscription fee as I just don’t have enough (or any) apps that require constant logins on my phone.
There’s also 1Password, Roboform, and KeyPass.
I prefer KeePass, open source, free, and there is an Android app for it. I have donated to KeePass as it’s that great. Better than any proprietary password managers like LastPass, etc.
+1 for open source. I’ll check it out, thanks!
I used http://www.gmaileak.com to check if my account was compromised
Regardless of the leak, couldn’t you just change your password and be done? I’m not inputting my email into some random site. I get enough spam…
As annoying as the 2-step verify thing can be, it’s well worth it. Trust me.