This week Google said that the breach did not originated with them, but came from multiple other sources. They also noted only 2% of the data accessed would actually work. In response to the possible threat, they’ve warned all users whose details have been accessed to change their password on any at-risk accounts, and have assured users their automated anti-hijacking systems will have blocked most attempts.
Companies like Google claim they have multi-layered security protocol to protect users from attacks of this nature. So you may be wondering how these names and passwords were accessed. If not through Google, then who?
Well, anytime you use your gmail address to sign into a website, you expose yourself. And if that site is not as well resourced and protected as Google, then your details may be vulnerable. The team at Google says the risks increase when you use, “…The same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others.”
So although it’s hassle having to change and remember more than one password, it may well be worth the extra effort. There are some great lockable apps you can purchase to store your password variations.
The other ways hackers can capture your details is to use malware or phishing scams. In a blog post on the recent breach Google says, “We’re constantly working to keep your accounts secure from phishing, malware and spam. For instance, if we see unusual account activity, we’ll stop sign-in attempts from unfamiliar locations and devices. You can review this activity and confirm whether or not you actually took the action.”
So though it’s not good news, 2% is better than the originally claimed 60% percent validity of the posted credentials. The stolen details were in some cases three years old, which meant many users had already changed their passwords.
CSIS Security Group is a Danish company which helps financial institutions fight Cyber Crime, and after some investigation, their researchers concluded that some of the user names and passwords were never even used for Google accounts. This seems to confirm that the breach happened outside of Google’s systems altogether.
Google has the following three common-sense tips for users:
1) Make sure you’re using a strong password unique to Google.
2) Update your recovery options so we can reach you by phone or email if you get locked out of your account.
3) Consider 2-step verification, which adds an extra layer of security to your account. You can visit g.co/accountcheckup where you’ll see a list of many of the security controls at your disposal.
(Photo courtesy of Bhupinder Nayyar)