JACKSONVILLE, Fla. – Experts are encouraging Gmail users to change their passwords after more than 5 million combinations of usernames and passwords used for Google's mail service were posted online.
Tech experts said the information was posted on a Russian bitcoin forum that may have taken Gmail accounts from everyday sites, and some of the passwords posted are still active.
The hack appears to be part of a phishing scam, with the goal being that people will enter their usernames and passwords into scam websites to find out if their email is secure, ironically compromising their own security in the process.
Officials said don't be fooled by any of these sites -- just change your password.
"What happens is this data base was compiled over multiple smaller websites, some of them interlinked and some of them just random and had the same vulnerability, so Google didn't get hacked," explained Chris Hamer, a network administrator with the Bradford County Sheriff's Office. "But these guys have hacked hundreds of thousands of web pages and compiled that info and pulled out all of the Gmail addresses and say 'oh use this password.'"
Hamer said many of the emails on the list are three to five years old. In a statement released Wednesday, Google acknowledged the possible hack and said only 2 percent of the passwords might be active.
"We found that less than 2 percent of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts," the statement read. "We've protected the affected accounts and have required those users to reset their passwords."
Hamer said hearing about the hack, no matter how big or small it might be, should make all Gmail users do one thing.
"If you haven't changed your password in the three-five years, first off, shame on you. Second - go change your password," Hamer said.
Hamer said users should lock their passwords down like a medieval fort.
"You understand how an old medieval fort is constructed? Basic security model. It has an outer mote and even beyond the mote it has field that are less easy to traverse so that's one layer of security," Hamer said. "The mote is the second layer of security. The wall is the third layer and then you have other lockable rooms. That's how you should think about your passwords."
Google also said it's important to note that in this case, and in others, the leaked usernames and passwords were not the result of a breach of Google systems. Often, these credentials are obtained through a combination of other sources.