“Users can protect themselves from credential theft by turning on two-step verification, adopting passkeys as a stronger and safer alternative to passwords, and resetting passwords when they are found in large batches like this.”
Why was Google singled out in these stories?
The 183 million accounts represented in the data are not all from Gmail, so it’s singling out does appear to be the result of misunderstanding. Many articles, headlines and social media posts say explicitly that 183 million Gmail accounts have been breached, which is not the case.
In a post last week Hunt described his process of verifying the breached data, which included reaching out to people through the emails listed. Some articles have used this to say that the 183 million accounts have been verified, which is also not the case.
While Synthient and Hunt posted discussing the data last week, the online frenzy of articles and search traffic appeared to begin late on Monday, and may have been triggered by an accurate report on Forbes.com.
What exactly does the data contain?
Hunt received 2.6 terabytes of data, comprising 23 billion rows of credentials. But despite these huge numbers, the exposure of the data isn’t necessarily catastrophic.
Some of the data comes from stealer logs, which is the output of malware that has infected computers to report back web addresses, emails and passwords. There’s a large amount of repetition in these logs, so it takes some analysis to decide if anything is new or current.
Hunt said that from a sample of 94,000 entries, 92 per cent had been found in stealer logs previously. From 183 million accounts, that does mean there are millions of email addresses in this data that haven’t previously been marked as compromised.
Other data comes from credential stuffing lists, which criminals use to attack services where users may have re-used passwords. So for example they could take a password associated with your Vietnam Airlines account, and try it with your PayPal account.
What is Have I Been Pwned?
The data breach information website has been around for years and has become a go-to resource for finding out if your credentials have ended up in the hands of criminals. Hunt collates huge amounts of data taken from breaches into the system, allowing users to search through it without further exposing the damaging info. You can enter your email address or password to check if it’s listed in any breaches.
Have I Been Pwned also offers a service that will alert you if your email address appears in any data breaches, and an API businesses can use. Several providers of password management software use this API to automatically check user passwords against breached data.
What should I do to stay safe?
Just because you have a Gmail address, it doesn’t mean you’re at risk from this data breach, since there are billions of Gmail users. But it doesn’t hurt to check your address at Have I Been Pwned.
Loading
It will let you know if it’s found in any breach collections (the latest one is called “Synthient Stealer Log Threat Data”), so you can see what other types of data might also have been stolen.
It’s a good idea to change your password at any service your email is found, and activate multi-factor authentication (MFA) if possible.
As always, it’s poor digital hygiene to re-use the same password twice, and important services like email and banking in particular should have unique strong passwords, or be moved to passkeys or other MFA.
Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.
