With two-factor authentication you are happily providing gmail with your phone number. They say they need this to send you a verification code when you log into your gmail account. Then they say:
"During sign-in, you can tell us not to ask for a code again on that particular computer."
Well, if that's the trick, they don't need your phone nr at all, they can do ip and os check anyways..
Interestingly, there are a large number of non-gmail.com addresses in there, including 123k yandex.ru addresses, plus a (very) small number of yahoo.com and hotmail.com addresses. Here's the output of "cut -d@ -f2 | sort | uniq -c | sort -nr":
The data hasn't been very well edited from whatever dump it came from. For example, there are lines that end in "gmail.com_xtube", "gmail.com7777", "gmail.com|login", etc, which are curious.
I bet there are some people who have other leaked account & password lists, and since the isleaked.com site is kind enough to give the first two characters of the password for any given email account, it'd probably be possible to guess the passwords for some of those accounts.
Every time something like this is posted, where there is a site to check if your email address is in some leaked list, I really wish they'd just tell me how to get the list itself. Instead, they ask me to trust that they will not use my email address, and I have to hope that they won't leak it.
I generally don't bother, because it's just more security risks.
It could be even more dangerous than you are imagining.
If you check a username, then you would probably also be revealing the IP address range and browser referrer that is normally used to access your account.
Google uses IP address and location to help detect illegal access. So giving away this information could make it easier for your account to be stolen.
"If you don't like to specify your full email address for any reason, you can replace up to 3 characters with asterisk sign (e.g., for [email protected] enter myac*[email protected]), thus we'll show you a count of matches for this pattern. We respect your privacy."
Though back when I had that password my account was hacked. I'd wager this is just Gmail address+password combos collected from other leaks (read: not from Google). Really this just seems to be an attempt at sensationalizing.
Me too. It gives the first two letters of a pw that I have used in the past but as far as I'm aware, not on that account. This raises all kinds of questions...
Edit: it does the same on a much older account that I rarely use, too. Not the current password but the first two letters of what is likely a much older pw.
I can also verify this. One of my gmail accounts was in there, incidentally the "trash account" I use when I sign up for various services online.
And the password was one of my lowest security "trash passwords" I use with this e-mail as login sometimes if it's a service I wouldn't trust or don't care if it's compromised.
So I wouldn't worry about this. Someone had their site hacked most likely and these are logins to the site, not from Google.
For me, it has a password I don't ever recall using with gmail. If I have, I don't think it's been in the past few years.
That said, it's my throwaway password I use on services I'm not particularly worried about. I fear that this isn't a gmail leak but instead a different service.
If you search for the character '+' in the list of e-mails you can get an idea where the mails leaked from. It seems to me like this is a collection of databases scraped from different sources as others have suggested.
For Gmail users, it's a good practice to register to websites using [email protected] (e.g. [email protected]), that way you'll know who leaked your data when it appears in lists like this or when you get spam. Gmail ignores the plus character and anything that follows the plus. You can also add dots at arbitrary positions in the username part.
I have always wondered what use is this with regards to spam and sneaky address lists. What exactly prevents someone from cleaning up the addresses before letting them out?
If I were a bad behaved site and sell (sold? sorry, tired and non native speaker) my userlist, i'd probably remove all plus-suffixes from the addresses. Same as if I were a blackhat stealing them to be sold.
I can tell from the first 2 characters that the leaked password associated with my email address was scraped from Pizza Hut Australia's online ordering system (they only recently implemented SSL on the login page).
It's interesting that I setup a particular password for that service when I noticed it didn't use SSL. Make's me wonder how many databases this comes from. It certainly isn't Google's.
Out of interest, do you know from your data as to when your Pizza Hut Australia account could have been compromised? Was it a plus addressing [email protected] type email address?
Would be interested to know more about this. I'm @junto on Twitter if you don't mind contacting me. It would be appreciated.
It isn't the actual Gmail passwords that are leaked. One of my accounts is there, but the password is one I have used on other sites, never on the actual Gmail account.
1. Found you password with the same email address somewhere
and ask if you still use that email address on another site.
2. And get your IP, then login through proxy to bypass the security checking.
3. Still, to know which email address is in use.
If you just worry, change you password right now without using their service. :P It may be good that every a few months some guys remind you to change passwords.
I just checked using a bunch of throwaway email accounts I had to sign up for various promotions. One of them was leaked - and one of them had a very old password associated with it.
I now use KeePass2 to manage all my passwords - so the old password has absolutely nothing to do with the new one. This makes me think that they simply tried to use some other hacked site, and checked to see whether the same pwd was recycled for gmail.
The full list was leaked, my email was on it but I've never used that password for an email account in my life. It's my throwaway "I don't trust this website" password. I use it for a reason!
On August 20 an address of mine was entered and my Origin account was subsequently compromised. Looks like this leak matches the creds that account had before I reacted. Happily enough it was a low equity account, I had 2FA and nothing else seems to have been grabbed.
Edit: to clarify, I had 2FA on an account which alerted me to the Gmail compromise. I obviously messed up with that email account.
It says mine is in it but suggests the wrong password. I don't think I even had a password with those letters plus I've had 2FA for a while now. Wonder how legit this is.
The problem with 2FA for me is that I am underground for a good part of my day, without reception.
I use google voice to get notified of calls and voicemails so I can be fairly responsive, but obviously using another service that can be accessed in multiple places defeats the point, especially when owned by the same people.
My email is on there, but the password is not the one I'm currently using. Though I wonder which site or sites I've been using this password on. Has anyone figured it out? I'm going to crosscheck with my saved passwords list in Firefox when I get home.
[+] [-] sinak|11 years ago|reply
- Google: https://www.google.com/landing/2step/
- Github: https://github.com/settings/security
- AWS: http://aws.amazon.com/mfa/virtual_mfa_applications
- Facebook: https://www.facebook.com/settings?tab=security
- Twitter: https://twitter.com/settings/security
- Dropbox: https://www.dropbox.com/account/security
- Lastpass: http://helpdesk.lastpass.com/security-options/google-authent...
- More: https://twofactorauth.org/
[+] [-] marcodena|11 years ago|reply
[+] [-] nodata|11 years ago|reply
[+] [-] unknownBits|11 years ago|reply
"During sign-in, you can tell us not to ask for a code again on that particular computer."
Well, if that's the trick, they don't need your phone nr at all, they can do ip and os check anyways..
[+] [-] tonymon|11 years ago|reply
https://mega.co.nz/#!ewU1wCKA!P52rdL5tMcugRxi8ALyZlGnfE_KSB4...
Alternative: http://rghost.net/57937836
The thing is that this site mentions other site where in comments section you can find links to 7zip archive with emails
[+] [-] mct|11 years ago|reply
https://gist.github.com/anonymous/255959493c0a26cce856
The data hasn't been very well edited from whatever dump it came from. For example, there are lines that end in "gmail.com_xtube", "gmail.com7777", "gmail.com|login", etc, which are curious.
[+] [-] unicornporn|11 years ago|reply
[+] [-] thaumaturgy|11 years ago|reply
[+] [-] corysama|11 years ago|reply
[+] [-] bagels|11 years ago|reply
I generally don't bother, because it's just more security risks.
[+] [-] FatalLogic|11 years ago|reply
If you check a username, then you would probably also be revealing the IP address range and browser referrer that is normally used to access your account.
Google uses IP address and location to help detect illegal access. So giving away this information could make it easier for your account to be stolen.
[+] [-] crummy|11 years ago|reply
[+] [-] joeblau|11 years ago|reply
[+] [-] rodrigorega|11 years ago|reply
[+] [-] kostko|11 years ago|reply
[+] [-] VikingCoder|11 years ago|reply
[+] [-] Sommer717|11 years ago|reply
Though back when I had that password my account was hacked. I'd wager this is just Gmail address+password combos collected from other leaks (read: not from Google). Really this just seems to be an attempt at sensationalizing.
[+] [-] caractacus|11 years ago|reply
Edit: it does the same on a much older account that I rarely use, too. Not the current password but the first two letters of what is likely a much older pw.
[+] [-] INTPenis|11 years ago|reply
And the password was one of my lowest security "trash passwords" I use with this e-mail as login sometimes if it's a service I wouldn't trust or don't care if it's compromised.
So I wouldn't worry about this. Someone had their site hacked most likely and these are logins to the site, not from Google.
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] gotothrowaway|11 years ago|reply
That said, it's my throwaway password I use on services I'm not particularly worried about. I fear that this isn't a gmail leak but instead a different service.
[+] [-] chippy|11 years ago|reply
[+] [-] marksamman|11 years ago|reply
For Gmail users, it's a good practice to register to websites using [email protected] (e.g. [email protected]), that way you'll know who leaked your data when it appears in lists like this or when you get spam. Gmail ignores the plus character and anything that follows the plus. You can also add dots at arbitrary positions in the username part.
[+] [-] unbelievr|11 years ago|reply
- Bioware (54)
- Bravenet (19)
- Bryce/daz3d/daz (244)
- Eharmony (64)
- Filedropper/fd/etc. (113)
- Freebie/Freebiejeebies (64)
- Friendster (65)
- Hon (42)
- Policeauctions (28)
- Savage/Savage2 (116)
- Xtube/porn (200ish)
[+] [-] archenemy|11 years ago|reply
If I were a bad behaved site and sell (sold? sorry, tired and non native speaker) my userlist, i'd probably remove all plus-suffixes from the addresses. Same as if I were a blackhat stealing them to be sold.
Honest question, no snark.
[+] [-] netrus|11 years ago|reply
[+] [-] tectonic|11 years ago|reply
[+] [-] zwischenzug|11 years ago|reply
[+] [-] Intermernet|11 years ago|reply
It's interesting that I setup a particular password for that service when I noticed it didn't use SSL. Make's me wonder how many databases this comes from. It certainly isn't Google's.
[+] [-] junto|11 years ago|reply
Would be interested to know more about this. I'm @junto on Twitter if you don't mind contacting me. It would be appreciated.
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] onestone|11 years ago|reply
[+] [-] ndr|11 years ago|reply
[+] [-] NaNaN|11 years ago|reply
[+] [-] broolstoryco|11 years ago|reply
[+] [-] Fede_V|11 years ago|reply
I now use KeePass2 to manage all my passwords - so the old password has absolutely nothing to do with the new one. This makes me think that they simply tried to use some other hacked site, and checked to see whether the same pwd was recycled for gmail.
[+] [-] nmjohn|11 years ago|reply
[+] [-] ecma|11 years ago|reply
Edit: to clarify, I had 2FA on an account which alerted me to the Gmail compromise. I obviously messed up with that email account.
[+] [-] curiousDog|11 years ago|reply
[+] [-] ars|11 years ago|reply
So I don't think this is a hack of google itself, but rather just collecting addresses from elsewhere and collecting the gmail ones.
[+] [-] hotmilo23|11 years ago|reply
[+] [-] cordite|11 years ago|reply
I use google voice to get notified of calls and voicemails so I can be fairly responsive, but obviously using another service that can be accessed in multiple places defeats the point, especially when owned by the same people.
[+] [-] palebluedot|11 years ago|reply
[+] [-] Grue3|11 years ago|reply
[+] [-] vocket|11 years ago|reply
[+] [-] hmottestad|11 years ago|reply
I had (stupidly) been using the same password on other sites, so after I was hacked i made a new password just for gmail.
Now I also have two factor authentication :)