top 200 commentsshow all 315

[–]vitzli-mmc 18 points19 points  (0 children)

19:38 UTC; 23:38 UTC+4/MSK - Moscow time) - original post on russian forum.btsec.com

22:19 UTC; 02:19 UTC+4/MSK - text file with email addresses, but without passwords posted on forum.btsec.com

22:40 UTC; 02:40 UTC+4/MSK - thread about the leak on major russian IT/Tech website habrahabr.ru, by forum.btsec.com moderator

00:36 UTC; 04:36 UTC+4/MSK - CNews.ru reports

01:47 UTC; 05:47 UTC+4/MSK - Lenta.ru reports and links to CNews.ru

03:47 UTC; 07:47 UTC+4/MSK - rt.com (Russia Today) reports and links to CNews.ru

~06:30 UTC; ~10:30 UTC+4/MSK - ycombinator links to isleaked.com as alleged gmail password leak.


It is not reported in on english-language news websites because it started on russian security forum, spread through russian news websites and it will take some time for european/american news agencies to pickup it up (probably a couple hours from now (07:57 UTC)).

edit: two days ago similar files were posted for russian webmail sites yandex.ru and mail.ru

[–]m1ss1ontomars2k4 32 points33 points  (25 children)

You can find me in the list, but not as a real email address--it's (my reddit handle)+(some website)@gmail.com. Could be a good hint as to where this came from. Wherever it is, it's definitely not from Gmail.

[–]cDull 27 points28 points  (15 children)

That is pretty smart of you, and there are many others that had same idea. Just do a grep for '+' in the gmail account dump and you see a lot of eharmony, filedrop, friendster, bravenet, bioware, savage, xtube, and others if you do the command below. There might be more than 20 different website references in there.

This is definitely a compilation and a bunch of bullshit FUD.

grep '+' google_5000000.txt | cut -d+ -f2 | cut -d@ -f1 | sort | uniq -c | sort -h | tail -n 21
 18 bravenet
 18 filesavr
 19 policeauctions
 25 4
 27 eh
 28 3
 32 freebiejeebies
 40 hon
 51 bryce
 52 savage2
 54 bioware
 57 spam
 60 2
 62 savage
 63 friendster
 64 eharmony
 66 daz3d
 88 filedropper
125 1
132 daz
176 xtube

[–]xiongchiamiov 10 points11 points  (1 child)

Man, sort -nr that shit so the big things are at the top!

[–]mstrokin[S] 12 points13 points  (3 children)

that's why I put the quotes in the title, it's a compilation, but I've found my password in that file, that's why I wanted to share this knowledge

[–]vegatripy 7 points8 points  (0 children)

If they're no passwords in the hacked mail list... how do yo know that?

[–]ihatewil 3 points4 points  (0 children)

where is the password list?

[–]Langly- 0 points1 point  (0 children)

A while back I accidentally entered one of my passwords in google instead of the password box, I found a huge text file that contained it and a ton of other passwords in it on some pastebin like site. Changed that one immediately.

[–]naww 3 points4 points  (0 children)

  • itickets.com, mythtvtalk.com, texasmonthly, bdsmlibrary, comicbookdb.com, usercash.com, frtfreedomforeveryone

etc.

[–]rpolitics_sucks 3 points4 points  (3 children)

Also a few dates in there. Lots of +2008xxxx and +2009xxxx but nothing past that. This is OLD stuff. If you don't use the same password for your gmail account and anything else or you've changed your password sometimes in the last FIVE YEARS you're safe.

[–]tomun 2 points3 points  (2 children)

There's plenty of 2013 and 2014 in there, just not after a plus sign.

[–]Mitch_Mitcherson 3 points4 points  (3 children)

I want to make sure my email isn't on the list, is it safe to download that file to your computer?

[–]stewsters 1 point2 points  (0 children)

Yes. Its an ascii text file. Don't make it an executable (.exe) and you should be ok.

[–]goc_work 3 points4 points  (3 children)

Mine at least came from DreamHost. Only place I use that email and password.

[–]preludeoflight 3 points4 points  (1 child)

This is interesting, as I too used dreamhost. It wasn't a purely unique combination for me, but that's definitely one of the places I used it.

[–]goc_work 3 points4 points  (0 children)

Also worth pointing out that Dreamhost was affected by HeartBleed earlier this year.

I'll bet a lot of these passwords are from sites similarly affected.

[–]BigAngryIT 1 point2 points  (0 children)

I believe mine was compromised from Blizzard. The password attached to my e-mail was one I used exclusively with that account.

[–]mstrokin[S] 1 point2 points  (1 child)

+filedropper

[–]GuidoZ 0 points1 point  (0 children)

FileDropper? I remember that site... like, ages ago.

[–]pavel_lishin 0 points1 point  (0 children)

Ditto. That particular email has only received email from two websites, both of which were clients of an ex-employer, which is slightly concerning.

[–]snapdeus 147 points148 points  (79 children)

DO NOT FUCKING PUT YOUR EMAIL ADDRESS INTO SOME BULLSHIT POST TO CHECK IF YOUR PASSWORD IS SECURE

[–]Zodihax 18 points19 points  (0 children)

This seems pretty legit. One of my burner emails was compromised, and someone had tried logging in with the correct password.

[–]quickhits 24 points25 points  (49 children)

Great advice. OP's account is two months old, has one link, and now wants you to enter your email address or download a file? Smells phishy.

[–]mstrokin[S] 13 points14 points  (45 children)

I get your point, please tell me where could I upload a raw txt file (bear in mind it's 103MB, so don't tell me to do a screenshot of full file).

It's not my fault I registered 2 months ago, is it? It's my real name (rather than scr1ptk1dd13 handle) as I have nothing to hide :)

[–]mathiasbynens 11 points12 points  (14 children)

[–]m4rx 2 points3 points  (0 children)

Thank you for this

[–]ScottieNiven 2 points3 points  (0 children)

None of my emails are on that, phew.

[–]Stulander 1 point2 points  (0 children)

I'm on the list! Yay! Just as well I have an insanely long password.

[–]SundrySix 0 points1 point  (0 children)

Thank you for the mirror

[–]eaglebtc 0 points1 point  (0 children)

Thanks for posting. One of my three email addresses is on there. Time to change the password, I guess!

[–]supercreeper1 0 points1 point  (0 children)

thanks for this, my primary account was on that list.

[–]JustHere4TheDownVote 0 points1 point  (0 children)

does it take a while to open it in notepad or something?

edit:

open with wordpad instead

[–]stating-thee-obvious 0 points1 point  (0 children)

what a boring textfile, it's missing all the passwords! ;)

[–]quickhits 4 points5 points  (20 children)

If this is a legitimate compromise then I appreciate your attempt to spread the news, but from where I'm sitting this seems awfully suspicious. I don't know where you could safely post the document, maybe someone else has an idea, but no way I'm downloading.

[–]OverVolt 12 points13 points  (18 children)

It's a 7-zip compressed text file hosted on a well known file host. There's really nothing unsafe about it.

[–]NowAndLata 3 points4 points  (2 children)

Maybe that's just what they want you to think. **Checks tin foil hat electromagnetic transmorphic neurological dissimulation device *

[–]Lurking_Grue 0 points1 point  (1 child)

Run it in two nested virtual machines.

[–]NowAndLata 2 points3 points  (0 children)

Why stop at two?!? Maybe ill just keep making virtual machines till i have my own internet and then nobody will ever be able to leat hacx764ksor me and ill be king of the interwebs!!!

[–]supercreeper1 1 point2 points  (0 children)

i pulled it, its just a text file, my main address was on there

[–]snapdeus 17 points18 points  (2 children)

and he has multiple accounts and is downvoting my comments across this thread. i've reported it a couple of times. it is seriously phishy.

and i just changed all my passwords.

edit: proper grammar

[–]quickhits 6 points7 points  (1 child)

I see the down-vote army burying all of your questions. Hopefully these folks read the comments before blindly giving up info or storing unknown files on their machines.

Any indications of this compromise seen elsewhere? I haven't been able to find anything.

[–]nekoningen 11 points12 points  (0 children)

There's no downvote army or alt-accounts, this guy's just paranoid and somehow can't believe that people other than OP would have a problem with his attitude and unhelpfulness.

[–]gmad 8 points9 points  (13 children)

Please explain why. You can *** your account to see. I can not possibly see any reason why this would be a risk other than perhaps you get added to some spam database

[–]dexxter67 16 points17 points  (12 children)

When you input your email address they could create a log with your info such as IP address, location, OS, browser version etc...

This info can then be used to bypass googles security. Currently Google will block a sign in attempt if someone tries to login to your account from a different county. But if they already know where you live, they can bypass that.

[–]NowAndLata 3 points4 points  (2 children)

Currently Google will block a sign in attempt if someone tries to login to your account from a different county.

Source? This would mean that you can't use gmail while on a VPN or a vacation, and that's just not true unless they just started this in the last couple days or so...

[–]iagox86Trusted Contributor 2 points3 points  (1 child)

It's definitely untrue. It's definitely flagged as suspicious activity, but just logging in from another country isn't sufficient.

[–]NowAndLata 2 points3 points  (0 children)

Ya, I didn't think that i was hacking google when i logged in from other countries, but i did stay at a holiday inn express last night....

[–]sursmurf 22 points23 points  (2 children)

They had my email, but I never used that password in gmail. I've used it on other sites though so this most definitely comes from somewhere other than Google.

[–]carpii 5 points6 points  (0 children)

What password are you referring to? The dump I have is just a list of emails, with no passwords at all

[Edit: Ok so from what I gather, the password list wasn't released, and instead a dozen sites have cropped up allowing you to enter an email address and it claims to show you 2 chars from your password

This whole thing just seems like a social hack to harvest even more email addresses from paranoid users wanting to check if they were leaked]

[–]hateexchange 1 point2 points  (0 children)

mail, but I never used that password in gmail. I've used it on other sites though so this most definitely comes from somewhere other than

Same here i know what site to but i don't want to out myself.

[–]mstrokin[S] 23 points24 points  (15 children)

[–]raskaal[🍰] 7 points8 points  (8 children)

Do you have link to the passwords file too? Thanks

[–]Techno_Shaman 4 points5 points  (7 children)

It has not been released, and may not exist.

[–]raskaal[🍰] 3 points4 points  (3 children)

It is there. Some links people mentioned will give you the first two letters of your password. I have not tried it obviously but some people tried it and they found it to be correct. The comments were on some other thread and came from old reddit accounts.

[–]TheLinksOfAdventure 1 point2 points  (0 children)

Why doesn't this list have the +'s everyone is talking about?

[–]bemenaker 1 point2 points  (0 children)

Dafuq? how can you be a member of the /r and not be using 7zip?

[–]Stereo 12 points13 points  (6 children)

The most common strings used after + show which websites this might have been leaked from:

18 +bravenet@
18 +filesavr@
19 +policeauctions@
25 +4@
27 +eh@
28 +3@
31 +freebiejeebies@
40 +hon@
51 +bryce@
52 +savage2@
54 +bioware@
57 +spam@
59 +2@
62 +savage@
63 +friendster@
64 +eharmony@
66 +daz3d@
88 +filedropper@
125 +1@
132 +daz@
176 +xtube@

[–]ousivede 10 points11 points  (0 children)

Throw away account for ... reasons.

Can confirm that none of my regular emails are in there, but the one I used on xtube is.

[–]doug89 2 points3 points  (1 child)

I'm sure the next time something like this is published they'd removed the + and everything up to the @ to make investigation harder.

Now that I think about it that should be step one. I wonder why they didn't.

[–]vitoreiji 2 points3 points  (0 children)

Step 1.5 would be replace with misleading strings.

[–]vaendryl 1 point2 points  (0 children)

seems likely to me a LOT of these 'leaked'/'hacked' emails were actually 'SOLD'.

[–]judgemebymyusername 2 points3 points  (0 children)

My email address was in the list, but I haven't used any of those sites. I guess these are only the sites where people took the time to do a +website@ email.

[–]Sakred 0 points1 point  (0 children)

I have an old HoN account that is still active, prepurchased the beta and everything. My e-mail isn't on the list.

[–]eur0pa 7 points8 points  (1 child)

Why is this thread hidden on the main /r/netsec page?

[–]CorsarioNero 3 points4 points  (0 children)

I'm wondering the same thing. I can get to here from the link inside the article from /r/technology , but this thread does not show up on netsec's 'new' even.

[–]mstrokin[S] 31 points32 points  (21 children)

List of leaked emails:

https://mega.co.nz/#!rgFDDRSD!QyyLxZNnR8i9fF_aNkKI-wUIUV3fjX5o0dxdl-bE3zQ

if you email is there - it means at least 1 of your passwords is leaked(and if you use same password on all websites - you shot yourself in the knee)

[–]jipl 17 points18 points  (13 children)

You don't happen to have the non-redacted version do you? A password list of 5 million passwords would be nice for penn testing.

[–]Ta9aiW4i 25 points26 points  (0 children)

pennsylvania testing is what I'm going to call it from now on

[–]l_one 6 points7 points  (9 children)

Just did a search on my favorite site run by rum-drinking peg-legs and found the lists for mail.ru and yandex.ru, but nothing for google accounts as of the time I post this.

[–]preludeoflight 1 point2 points  (8 children)

Same for me as well, I've seen some references to people having it, but no actual file. As my email is actually in this list twice, I'm curious as to what they have, but I'm sure as hell not poking my address into those sites OP linked. I'd much rather find the source file and check myself.

Edit: Found the original file. Sure enough two old passwords that I've used on "throwaway" sites and never as gmail passwords. So, they're definitely gleaned from other websites and aren't leaked from google themselves, that's a good feeling.

Edit again: I'm sorry to those PMing me that I won't send you the file. I'm not sure where it'd fall on breaking reddit's rule of personal information, so I'd rather stick to the side of caution. I know it's frustrating to know that your information is out there. :(

[–]woobit 6 points7 points  (5 children)

Care to share the file?

[–]preludeoflight 1 point2 points  (3 children)

I really am not sure if that qualifies for breaking reddit's rule on personal information, and I don't want to get my account banned. :(

I will say I found it on another discussion forum by googling with the information found in this thread.

[–]woobit -1 points0 points  (0 children)

I totally understand, np.

[–][deleted]  (1 child)

[deleted]

    [–]preludeoflight 0 points1 point  (0 children)

    I've not sent it to anyone, because I'm not sure if it violates the rule and I don't want to take a chance. Sorry! :(

    [–]jipl 0 points1 point  (0 children)

    Do you happen to remember which websites you used those passwords on? I am curious which ones were compromised.

    [–]FrankPapageorgio 0 points1 point  (0 children)

    Thanks for the insight. I was wondering the same thing, seems they are just from other sites, and as long as you use a unique password for gmail you are safe

    [–]mstrokin[S] 0 points1 point  (0 children)

    I don't have it but it's somewhere in public

    [–]vitzli-mmc -1 points0 points  (0 children)

    and here is a list of some popular passwords: http://pastebin.com/T9PffikD

    [–]Soulwound 2 points3 points  (0 children)

    Thanks for the list, a couple friend's gmail addresses turned up on the list, so I've told them they should change their passwords on google and any sites which use their gmail address as a login, and hopefully they will use a different password for each. I also advised them to enable google authenticator if they already hadn't done so.

    [–]Stulander 1 point2 points  (0 children)

    OK so the password leak is available on TPB - my email is listed there along with a password that I've used (nothing to do with my reddit username btw) maybe 10 years ago - but I never used it for my gmail account.

    [–]CUB4N 0 points1 point  (0 children)

    arrow to the knee

    ftfy

    [–]mstrokin[S] 11 points12 points  (23 children)

    As noted in previous comments, most likely(99.9% imho) these passwords were leaked from other websites, not directly from Google. I found my password there as well, but I can't remember when I have used it. It would be awesome if someone who uses unique passwords for every website could determine which of the websites was compromised.

    [–]nekoningen 1 point2 points  (20 children)

    I'm trying to check but I can't seem to download the list. I think the site's overloaded with traffic.

    You know any other place it's been uploaded? Nevermind, i think i have it downloading. I'll get back to you in... half an hour? Whenever it actually finishes downloading.

    [–]enigmamonkey 1 point2 points  (19 children)

    Are you referring to the list of emails that doesn't contain passwords? OP posted a mirror of that here: https://mega.co.nz/#!rgFDDRSD!QyyLxZNnR8i9fF_aNkKI-wUIUV3fjX5o0dxdl-bE3zQ

    [–]nekoningen 2 points3 points  (18 children)

    No, the one specifically with passwords. I can't check it against mine to see what site they ripped it from if i don't know what the password is.

    [–]enigmamonkey -1 points0 points  (13 children)

    Oh I see. Did you try this: https://isleaked.com/

    [–]jurkajurka 1 point2 points  (0 children)

    My email is up on that site; however, the password it is suggesting my account uses hasn't been used by my account in over 5 years.

    [–]asisingh 0 points1 point  (5 children)

    The first two characters of my password is wrong. I can chill right?

    [–]Draco1200 0 points1 point  (0 children)

    https://isleaked.com/

    Was the full list actually leaked or not? If it was, then there should be no difficulty showing a link to an ascii file with BOTH emails and passwords, right?

    [–]rafajafar 0 points1 point  (0 children)

    WOOT Got the full list of usernames and passwords. Good news is that my username and password combo in the list is one that I think I used once on some sketchy site and does NOT match my gmail password.

    [–]sonician 0 points1 point  (0 children)

    Hard to say. I have LastPass configured and all passwords are randomized 16-digit ones.

    The password it showed for me, I haven't used in a couple of years. (pre-Lastpass)

    [–]poborskyyyyy 6 points7 points  (11 children)

    Is there list of passwords somewere also? My email is on the list but I use unique, difficult password for gmail (the email that is on the database) and I want to see if they have my dummy password of the real deal I only use with gmail. Already changed my gmail just in case...

    [–]ruspow 1 point2 points  (8 children)

    im in the same boat and am curious what password they've got down for me. i think from the top post i got compromised because of freebiejeebies, i remember having an account there.

    [–]poborskyyyyy 0 points1 point  (7 children)

    I personally have never had an account there and the gmail email I have on list I have used only very selectively... on the sites I trust, thats why I'm so curious.

    [–]ruspow -1 points0 points  (6 children)

    if you put your email address in here: https://isleaked.com/ it will reveal the first 2 characters of your leaked password. fortunately the password ive had compromised is a shit one that i dont use any more :)

    [–]r3klaw 11 points12 points  (1 child)

    I just checked my e-mail address, and the string returned (first two characters) match none of the passwords i've ever used to my knowledge. Using two factor Google auth, should I still be worried here? (read netsec as a hobby, nothing more).

    [–]snapdeus 48 points49 points  (0 children)

    do not enter your email address into anything you see like this again.

    [–]xiongchiamiov 3 points4 points  (0 children)

    That site was not prepared for the traffic.

    [–]papercupz 2 points3 points  (0 children)

    I noticed today a couple of times I accessed gmail that a mystery .crx file kept downloading, but disappeared straight after. Could this be part of the breach?

    Edit, found them in the Chrome temp folder, still don't know what they are for.

    [–]ColinKeigherTrusted Contributor 3 points4 points  (3 children)

    https://canary.pw/view/?item=1bc5b34811b50f3fbce06cb550883727

    https://canary.pw/view/?item=87ecceaf19b0187e901e15c5bc8f8a9d

    Some of the e-mails here have been shown with other e-mail addresses. It does look like it is just a compilation but these results are new so I am perplexed.

    I'll whip up something in the morning to see where these all came from if they did at all. If someone wants to create something that searches via the API (registration and account activation is now automatic), you have my blessing but let me know once you have it working. Just use "!email <address>" when you search as it narrows it all down.

    [–]ColinKeigherTrusted Contributor 0 points1 point  (0 children)

    I am also adding the data to Canary as we speak just so we can correlate the data.

    [–]GuidoZ 0 points1 point  (1 child)

    Popping through the list, there are some "+" addresses. Gmail uses those as your real address (like guidoz@gmail.com is the same as guidoz+reddit@gmail.com - neither my real email), but allows one to filter based on whatever is after the plus. Looking through them, I see FileDropper (maybe here), XTUBE, Friendster, UserCash, WebSystems, AlbumHunt... etc. Plus a bunch of "spam, junk, ads, freebie", like people's disposable emails.

    [–]stewsters 0 points1 point  (0 children)

    I imagine its a few sites then. Here is a list sorted by popularity:

    xtube : 176 daz : 133 1 : 125 filedropper : 88 daz3d : 66 eharmony : 64 friendster : 63 savage : 62 2 : 60 spam : 57 bioware : 54 savage2 : 52 bryce : 51 hon : 40 freebiejeebies : 32 3 : 28 eh : 27 4 : 25 policeauctions : 19 bravenet : 18 filesavr : 18 s2 : 17 freebie : 17 fj : 16 xt : 16 x : 15 precyl : 15 11 : 15 5 : 15 10 : 14 usercash : 14 12 : 13 texasmonthly : 12 6 : 12 junk : 12 7 : 11 paygr : 11 comicbookdb : 11 kffl : 10 fd : 10 9 : 10 test : 9 20 : 9 rsbuddy : 9 itickets : 9 gmail.com : 9 albumhunt : 9 freebies : 9 pa : 8 wholefoods : 7 8 : 7 22 : 7 forum : 7 nwn : 7 eharm : 7 26 : 7 tm : 6 21 : 6 f : 6 25 : 6 14 : 6 mcmcse : 6 13 : 6 reg : 6 tube : 6 123 : 6 free : 6 sugardaddy : 6

    [–]3picNull 2 points3 points  (1 child)

    Interesting..

    2 things:

    88bruce+mostlycrap@gmail.com check it in the site. It does not recognize the aliases (in general). Removing the alias returns "safe account"

    Other mails (e.g. mitchmauldin+social@gmail.com ) return "compromised"

    (Yes both mails are from the file shared here)

    Also, something weird that happened to me yesterday:

    I received an SMS from google with a 2FA code from one of my account. However, checking activity in that google account showed no attempts for logins etc...

    [–]Xenogearcap 0 points1 point  (0 children)

    The same thing happened with my Google account about 3 weeks ago. My account did not show any attempted logs (unless I was looking in the wrong place)

    [–]Cyfun06 1 point2 points  (1 child)

    Weird, it has my username, but at yandex.ru. As far as I know, never had a Yandex account. What does this mean?

    [–]3picNull 4 points5 points  (0 children)

    I guess your username is not so weird and someone else was using it at yadex too...

    [–]easyjet 3 points4 points  (0 children)

    One of my throwaways was on there. Only ever used it in one place: www.warez-bb.org

    [–]lunixbochs 1 point2 points  (6 children)

    They had an old burner account of mine (only used on forums and social media many years ago) with an old password.

    [–]ianonavy 0 points1 point  (5 children)

    Same situation for me. Correct email, old password.

    [–]poborskyyyyy 0 points1 point  (4 children)

    Where can you see the password? I wan to compare it with mine also...

    [–]fireglare 0 points1 point  (11 children)

    Just to be clear: If my e-mail is not on that e-mail-only list, my account and password is secure?

    [–]ygjbTrusted Contributor 8 points9 points  (7 children)

    Nope. It's just not on the list.

    [–]fireglare 0 points1 point  (6 children)

    Care to elaborate? I don't see why my password should be compromised when it's not a part of the leak?

    [–]eldorel 13 points14 points  (1 child)

    He was being pedantic.

    You asked if not being on the list meant your password was secure.

    Not being on the list only means that you aren't on the list, you could still have set your password to "abc123" which is not secure.
    (or you could have been compromised through a different undisclosed leak)

    To actually answer your question: if your email is not in this list, you were not compromised as part of this leak.

    [–]fireglare 0 points1 point  (0 children)

    That's what I thought! I had to ask to make sure, I found it a bit unclear :)

    [–]xiongchiamiov 2 points3 points  (1 child)

    He's saying it's not part of that leak. We don't have any information that suggests it's been compromised, but there's a lot we don't know.

    But that's per usual.

    [–]fireglare 1 point2 points  (0 children)

    Ah, I see! Thank you :) A bit scary thought, though..

    [–]ygjbTrusted Contributor 1 point2 points  (1 child)

    Yeah, the other responses beat me to it, but...

    Depending on how the list was gathered, and the goal the releasing group had in sharing the information they may have :

    • left interesting accounts off the list
    • selected a random sample of accounts they had compromised
    • bruteforced password combinations to a certain strength

    In addition, your own passwords strength has an impact on whether it is secure even if the system storing your password handles passwords in a secure fashion.

    Bottom line, you want your account password to be secure? The only part of the equation you can reasonably control is password strength. Choose long, high entropy passwords (i.e. use a password generator) or use passphrases, and don't re-use passwords.

    [–]fireglare 0 points1 point  (0 children)

    Great! Thank you. I'm pretty sure my password is strong. For all we know, they could have 10 million more accounts in storage?

    [–]SneakiestBear 1 point2 points  (5 children)

    Anyone got a copy of the password list to share? My password has the first few characters common across all sites, just alterations to the end, so I don't know which passwords I should be changing.

    [–]dylzen 1 point2 points  (4 children)

    Yeah, same here. Same first half of the password, different second half depending on the site. No idea which password they got...

    [–]SneakiestBear 0 points1 point  (3 children)

    I just checked mine as the site was briefly up, it was a crazily old password so looks like I'm safe, luckily.

    [–]dylzen 1 point2 points  (2 children)

    Which site was briefly up? How did you check your full leaked password?

    [–]SneakiestBear 1 point2 points  (1 child)

    isleaked.com was up.

    I didn't check my full password, the first 2 characters were an extremely old password, I know where my leak came from, it was from when EA got hacked years ago, they obviously put it into that file from then, because the password hasn't been used since.

    [–]dylzen 0 points1 point  (0 children)

    Ah, I thought you found your full password. Thanks anwyay.

    [–]talness 1 point2 points  (0 children)

    Isleaked seems to be down. Anyone got the full file?

    [–]Ueland 1 point2 points  (0 children)

    Where are the passwords? I found my email address but would like to check where the leak is from...

    [–]raped_giraffe 1 point2 points  (1 child)

    Holy shit my e-mail is on that fucking list. WAT DO PLS?

    [–]robbiekhan 2 points3 points  (0 children)

    Probably best to enable 2-step verification and install the Google Authentication app on your smartphone for this process to work seamlessly.

    You can then log into your Gmail account or any other Google site and click your account icon top right, security and check the app specific passwords area to make sure everything adds up, then click the codes tab and for "other computers" choose the button to force request verification code on all other computers except the one you are on.

    That's the simplest way to make sure nobody else has in the past or currently is logged on to your account.

    I'm going to bet that nobody has used your account anyway because Google are pretty quick to let you know about if it does happen and Gmail will notify you bottom right in yellow highlight if your account is or has been logged on from multiple locations.

    If you have 2-step enabled and get auth codes via the app which is specifically coded to your phone only via device ID authentication then nobody can log into your account even if they have your main password because they won't be able to generate any 2-step codes.

    Also as a last resort and good practice, export the 10 or so failsafe backup codes Google provide you after generating new ones and keep them safe locally. These will be used if you ever lose access to your account and will grant one time access to your account. once a code is used that's it, that code is gone hence why they give you a whole bunch for safekeeping.

    Ultimately it looks like the leak is from a year or so ago when Google accounts were leaked and Google notified affected users and got them to change their passwords and enable 2-step and this new leak is just a mass accumulation of all those.

    In the grand scheme of things, form where I stand it looks like a non issue if you have 2-step enabled, have the backup codes safe and have checked the account activity location thing in Gmail.

    [–]Zeigy 1 point2 points  (0 children)

    My gmail isn't there I must be some kind of computer security god.

    [–]mgr86 1 point2 points  (0 children)

    Poor vale.josh

     sort google_5000000.txt | uniq -c | sort -nr | head
         86 vale.josh@gmail.com
         63 
         53 )
         49 email@gmail.com
         44 abc@gmail.com
         44 123@gmail.com
         40 bob@gmail.com
         40 a@gmail.com
         33 asd@gmail.com
         29 test@gmail.com
    

    also for all 63 of those people who thought that just because they didn't have an address at gmail you were safe.

    [–]peachstealingmonkeys 1 point2 points  (0 children)

    not leaked by google.com that's for sure.

    [–]Semsko 0 points1 point  (0 children)

    The link isn't working for me :S

    [–]why_am_i_itchy 0 points1 point  (8 children)

    Bah, my address is on there, with a password that I still use for some accounts. Already changed all the important stuff, so looks like I got away with that. Unfortunately I don't have two step authentication in use on my gmail account. Is there any way to use it without having a cell phone? I don't own a phone for many reasons, one of which is that I consider them to be a security/privacy nightmare. Ironically, this seems to preclude me from using two step auth. Ah well, my gmail account isn't used for anything especially important anyway.

    [–]emarkd 1 point2 points  (1 child)

    There are basically three types of authentication:

    1. What you know (password, secret data, etc)
    2. What you have (cell phone, physical key, etc)
    3. What you are (fingerprint, retina scan, etc)

    The very premise behind two-factor auth is that it takes two different factors to prove your identity. As you know, most 2fa setups rely on a cell phone, but maybe check out Authy. They offer some different types of setups so maybe they have something that would work for you.

    [–]why_am_i_itchy 0 points1 point  (0 children)

    Thanks, I'll take a look at Authy and see if it helps me.

    [–]warbiscuit 1 point2 points  (0 children)

    Since the Google Auth / TOTP protocol doesn't require the phone actually have net access, you could look into getting older/cheaper smartphone that can't make calls, and has it's wifi turned off. That way you can use it dedicated key fob.

    [–]dylzen 0 points1 point  (4 children)

    How did you find out which password of yours they got?

    [–]tedstery 0 points1 point  (1 child)

    Checked for mine, not in there. Thank god.

    [–]glred 2 points3 points  (0 children)

    Now you will be subscribed to something lol

    [–]X019 0 points1 point  (0 children)

    So I found my email on that list (twice) I haven't changed my password yet, I've got 2 factor auth on my account. Is it stupid/irresponsible of me to wait to change my password on my gmail (I don't have the same password for my gmail as I do for any site they pulled my email from) to see if anyone tries to log in?

    [–]rockymountainpow 0 points1 point  (0 children)

    where can i get the file to check if my info is in there?

    [–]mcai8rw2 0 points1 point  (0 children)

    yeah but none of them work any more! A friend of mine tried a few of them and she said that any one she picked at random didn;t work....so.... there's that i suppose.

    [–]vinchbr 0 points1 point  (0 children)

    So, I tried my email on the isleaked.com website, and it returned that my email was leaked and the first 2 chars on the password, that pwd was my first pwd when I created my gmail account in 2004.

    They might've found an old gmail HD somewhere

    [–]csolisr 0 points1 point  (0 children)

    Fortunately enough, the password leaked was the one I used to have. Good Guy Google had already asked me to change it, so no biggie there.

    [–]BamaFan87 0 points1 point  (0 children)

    Nice, none of my abundance of gmail emails are on the list.

    [–]killit 0 points1 point  (0 children)

    I found my username, the password logged was from an old gaming forum when gmail passwords were leaked a year or two ago, this password was never used in my actual gmail account.

    [–]Ornlu_Wolfjarl 0 points1 point  (0 children)

    Where can I see this list? I want to check if my gmail is in there, although I doubt it. Better be safe than sorry.

    [–]TcHx 0 points1 point  (0 children)

    None of the email:password combos in the preview shot posted on the forum work... further debunking this situation.

    [–]ROGer47 0 points1 point  (0 children)

    Guys i am having Problem downloading from Mega... Is it possible to find it somewhere else???

    [–]squat251 0 points1 point  (0 children)

    Well, fortunately none of my emails are on that list.

    [–]WDKevin 0 points1 point  (0 children)

    Some of these came from the adobe.com breach on 11/11/13. I know this to be fact for at least 2 accounts on that list due to using unique passwords on every account.

    [–]outofin 0 points1 point  (0 children)

    Can confirm: found my old email with proper password, yes, but from another (photostock) site

    [–]shinkeikagakusha 0 points1 point  (0 children)

    isleaked worked... it said one of my old old emails was compromised, likely when bioware got hacked, so I changed the pw (it was correct about the two characters). checked it again and it doesn't come up as compromised anymore.

    the email was in the text file. this is fucking huge, i'm blown away.

    [–]texaswilliam 0 points1 point  (0 children)

    Incredibly, incredibly old password. Older than 7 years, as some other people have said. Thank God.

    [–]dwarmia 0 points1 point  (0 children)

    i want to ask to the people whom mail adress is on the list with corrent password,

    are you using same password on gmail and other sites as well? I believe this guys collected unhashed passwords from various websites.

    [–]mstrokin[S] -4 points-3 points  (45 children)

    You can also check if your email is in the database using this link: https://isleaked.com/ it shows first 2 characters of the password if it's in the database

    [–]I_AM_GRUMPY 3 points4 points  (0 children)

    ditto (old simple pw). which poses the question, where did these come from ?

    [–]assangeleakinglol 2 points3 points  (3 children)

    Mine was leaked. omfg.

    edit: MIght have been an older password that started with the same chars. But changing anyway. Is there any way to audit the entire logon history of a gmail account?

    [–]snapdeus -4 points-3 points  (1 child)

    do not put your email address into any fucking website unless you went there to do that.

    [–]assangeleakinglol 7 points8 points  (0 children)

    You know what. I'm not afraid of people finding out my e-mail address. It's not a secret.

    [–]FearAndGonzo 1 point2 points  (0 children)

    After checking the whole 103mb text file for some of my addresses, it had one of my burners. However, after putting that in the website it shows the first two characters. Those two characters might be in the password depending where the source was, but they for sure aren't the first two. Does anyone have the list of addresses and passwords fully in the clear?

    [–]garion911 2 points3 points  (14 children)

    Huh. It has my address in there, but with a password I haven't used in 7 or 8 years.

    [–]bandwidthoracle[🍰] 1 point2 points  (0 children)

    I'm in the same boat.

    [–]zerouid 1 point2 points  (0 children)

    ditto, around 7-8 years old. and nothing i used for anything important.

    [–]urda 1 point2 points  (0 children)

    The password I have in there is at least 4-6 years old myself.

    [–]RumAndCookies 1 point2 points  (0 children)

    Thirded - old passwords, you're probably in the clear if you've been updating them at any sort of reasonable interval.

    [–]tradiuz 1 point2 points  (0 children)

    Very old password, as well.

    [–]snapdeus 3 points4 points  (6 children)

    please do not insert your email address into an unknown website if you want to stay safe.

    [–]gmad 8 points9 points  (4 children)

    Whats the worst that could happen. Maybe you get added to a spam database. Your email is public information anyway.

    [–]dexxter67 2 points3 points  (3 children)

    copying my answer from another discussion

    When you input your email address they could create a log with your info such as IP address, location, OS, browser, browser version screen resolution etc...

    This info can then be used to bypass googles security. Currently Google will block a sign in attempt if someone tries to login to your account from a different county. But if they already know where you live, they can bypass that.

    [–]DeathByFarts 7 points8 points  (0 children)

    Do you also wear a condom while you sleep ??

    [–]mguzmann 0 points1 point  (0 children)

    And as others pointed out, this is just silly

    [–]indigojuice 0 points1 point  (0 children)

    Easily defended against. You can VPN to that website or proxy. That solves that. Or you can enable 2FA in GMail, which solves all of this.

    IDK. Not worried.

    [–]dannymac1784 0 points1 point  (0 children)

    or you can keep yourself secure (paranoid) by using a complex password from the start.

    [–]omega552003[🍰] -1 points0 points  (1 child)

    yeah its an old password and I had a login attempt from Hungry in 2010, still older then that.

    [–]Kwpolska 1 point2 points  (0 children)

    Hungary*

    [–]Elriond 0 points1 point  (5 children)

    you sure this is kosher? It says that my email address was leaked & the "First two symbols of password is: ab."

    I'm pretty sure the 1st 2 symbols of my password isn't "ab".

    [–]dzml 3 points4 points  (4 children)

    might not be from your gmail account, but from another site that uses that email

    [–]Elriond 0 points1 point  (3 children)

    That makes sense. Now that I think of it, some of the unimportant forums, I use the standard password of abcd1234. So most likely some forums.

    [–]mathiasbynens 0 points1 point  (2 children)

    Why would you tell anyone that? :(

    [–]Elriond 0 points1 point  (0 children)

    Exactly like what /u/nyanpi said.

    [–]nyanpi 0 points1 point  (0 children)

    Because they are unimportant forums that he or she probably does not even use anymore? Who cares?

    [–]s7orm 0 points1 point  (1 child)

    I too am on the list, but that website doesnt provide me anything close to a password I would normally use. Still seeing my email on that list is a little worrying. Glad I use TFA.

    [–]indigojuice 0 points1 point  (0 children)

    Glad I use TFA.

    Yeah, same. I've got 2FA on every website I use that matters.

    [–]Survove 1 point2 points  (3 children)

    If I type my password in here, can you guys check my account for me?!?!

    [–]Lysis10 3 points4 points  (0 children)

    Sure, post your user name and password right here and a nice redditor will check it for you.

    [–]TheLinksOfAdventure 0 points1 point  (0 children)

    Sure, post your password too so we can compare!

    [–]2DeviationsOut 0 points1 point  (0 children)

    Just post your email and password, and you'll know whether it was compromised right away. It'll be compromised, but you won't have to wonder anymore.