Skip to main content



GMail password breach

SUMMARY: If you have, or have had, a Gmail account, the password to that account may have been compromised.  A recent breach of approximately 5 million Gmail accounts & passwords was recently announced.  You should change your Gmail password, and, if you use the same password for your Cornell NetID, you MUST CHANGE your Cornell NetID password immediately by visiting

<http://netid.cornell.edu/>.

Refer to the “Protecting Your Identity” section of the IT@Cornell website for more details on managing your user accounts.

<http://www.it.cornell.edu/security/identity/passwords/>

IMPACT: If the same password used for Gmail accounts was used for work, school, banking, or other accounts, those accounts may be at risk. Repercussions could range from simple to severe, such as your account being used to send spam, theft of your bank deposits, or hackers using your account to conduct widespread damaging attacks.

BACKGROUND: On September 9, 2014, it was announced that approximately 5 million Gmail user accounts and passwords had been leaked and posted online.  Google has acknowledged the posting of these credentials and have encouraged users to change their password and enable two-step verification, a security measure available in which a user is required to provide a passcode that is sent to their mobile device before any changes to their account can be made.

At this time, it does not appear that the list of credentials came as a result of a breach in Google security but, instead, was a list of Gmail usernames which were used to log into other sites along with the passwords for that site.  This underscores the risk of using the same password for multiple sites.  Google has stated that only a small percentage of the username and password combinations leaked might have worked.

Google has taken steps to protect the affect accounts and have required those users to reset their passwords.

RECOMMENDATIONS: We recommend that you take the following actions:

1. CHANGE PASSWORDS IMMEDIATELY. If you used the same password for Gmail and other accounts, you should immediately change your passwords at the other locations and monitor for unusual activity.  If you used the same password on your Gmail account as you used for your Cornell NetID, you must change your Cornell NetID password immediately by visiting <http://netid.cornell.edu/>.

2. GMAIL PASSWORDS SHOULD BE RESET only by manually visiting the Google website, and not by clicking on links arriving via email, as there is now a concern that there will be a rise in phishing related to this event.

3. NEVER REUSE YOUR INSTITUTIONAL PASSWORD for external web sites or Internet services. If you reuse a password at multiple locations when the password is compromised at one site the miscreants then can gain access to all sites where you’ve used that password. The best policy is to always use different passwords for different accounts.

4. CREATE STRONG PASSWORDS OR PASSPHRASES [1]. The Wikipedia Guidelines for Strong Passwords [2] is a good starting point.

5. CONSIDER THE USE OF A PASSWORD “WALLET” such as KeePass and LastPass. These tools make it very easy to have a unique password for every web site or service and to have strong passwords.

6. BE ON THE LOOKOUT FOR PHISHING. Miscreants will be using the Gmail breach as a pretext for phishing.

7. USE INFORMATION THAT IS NOT EASILY GUESSED. When providing password hints use information that is not easily guessed or discovered. For example, if your hint is “dog’s name” and you mention your dog on social networking sites miscreants can discover that information.

REFERENCES:

[1] http://xkcd.com/936/

[2] http://en.wikipedia.org/wiki/Password_strength#Guidelines_for_strong_passwords

Print Friendly, PDF & Email

Comments

Comments are closed.