September 10, 2014

Cleaning up after password dumps

One of the unfortunate realities of the Internet today is a phenomenon known in security circles as “credential dumps”—the posting of lists of usernames and passwords on the web. We’re always monitoring for these dumps so we can respond quickly to protect our users. This week, we identified several lists claiming to contain Google and other Internet providers’ credentials.

We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords.

It’s important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems. Often, these credentials are obtained through a combination of other sources. 

For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others. Or attackers can use malware or phishing schemes to capture login credentials.

We’re constantly working to keep your accounts secure from phishing, malware and spam. For instance, if we see unusual account activity, we’ll stop sign-in attempts from unfamiliar locations and devices. You can review this activity and confirm whether or not you actually took the action.

A few final tips: Make sure you’re using a strong password unique to Google. Update your recovery options so we can reach you by phone or email if you get locked out of your account. And consider 2-step verification, which adds an extra layer of security to your account. You can visit where you’ll see a list of many of the security controls at your disposal.

Posted by Borbala Benko, Elie Bursztein, Tadek Pietraszek and Mark Risher, Google Spam & Abuse Team


  1. I'm all for using strong passwords. However, Google's own tool, Chrome, doesn't allow for pasting a password in the profile login dialog making it damn difficult to log in with a strong password…

  2. I think Google needs to update the instruction for creating app password for Mac OS/iOS devices. For example, because I use both a Macbook Air and an iMac (work and home) the instructions to not "write down the password" that accompany the newly generated app passwords for a Mac are incorrect. Because Google is not distinguishing specific computer terminals but rather just 'Mac' when a user generates an app password for Mail on Mac, and then updates a Mac with that app password, the other Mac cannot log in because (a) the same app password will not work for two different Macs coming from different IPs and (b) we wouldn't have that app password because we were instructed not to write it down.

    Also, because OS/iOS treats the Google services as a single Google account, the interface give the wrong impression that you will have to generate new passwords for each service (Mail, Contacts, and Calendars). Given that these services are grouped together by OS X/iOS updating the information for my Google account in the individual apps also update the 'global' internet account setting in OS X.

    Is that correct? Or have I misunderstood?


You are welcome to contribute comments, but they should be relevant to the conversation. We reserve the right to remove off-topic remarks in the interest of keeping the conversation focused and engaging. Shameless self-promotion is well, shameless, and will get canned.

Note: Only a member of this blog may post a comment.