By Indusface Research Team

Gmail Hacked

As per some reports, Gmail has been hacked and 5 million user names and passwords were stolen from compromised accounts. What does this mean for you? Changing the passwords again? Yup, but more importantly changing, the way you and your customers operate their accounts, the ways in which they hamper their security, consciously or unconsciously, and the ways they can stop doing that.

Google has denied the hack claim, and has said that if in case such an event happens, it informs the affected users. “The security of our users’ information is a top priority for us,” a Google spokesperson commented. “We have no evidence that our systems have been compromised, but whenever we become aware that accounts may have been, we take steps to help those users secure their accounts.”

Google also claimed that the impact of this hack was widely exaggerated and that less than 2% of the username and password combinations might have worked. Google stated in an official blog post, “”We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts.”

How to check if your Gmail account was hacked

Following this hack, a group of programmers came up with a website, Isleaked.com. You can type in your email ID here, and it will tell you if your email is one of the 5 million affected. If you are hacked, the website will show you the first two letters of your password. The developers had initially created this website originally to help people check with the Yandex and Mail.Ru attacks.

To assure people of their honest intentions, developers have offered an option to not put in their complete email ID, but too substitute up to 3 characters with asterisk. We have tried this, and it works.

But if Google is denying the hack, then why these stories?

There have been more than few hacking incidents in the past, with Google’s name dragged in. This time, Google has come out with a statement. They have insisted that since no internal systems were breached and illegally accessed, they have concluded that the accounts whose login data was stolen, was due to an individual obtaining usernames and passwords from a malware infected computer.

This claim is supported by the fact that the information leaked seems to be pulled from much older lists. A large number of leaked passwords are as old as three years. Due to this the leak is being attributed to a combination of breaches that have happened in the past.

But even though the leaked information is outdated, majority of the security experts have strongly suggested that users should update their passwords in regular manner, especially after news of a breach surface.

So whether your Gmail was leaked or not, it is highly recommended to change your password and you should now take advantage of the two-step authentication process provided by Gmail. This means that Google will send you a special code as an additional security measure, when logging in. It might sound like a headache, especially when we want everything automated and simple, but it will protect you from the repeated hacks and breaches.

Why are so many accounts being hacked? What should be changed?

More and more social networking websites are coming up. People have tens and hundreds of accounts and every account needs to have a login, username and password. Some of them even have security questions.

So what do we do? It’s not possible to remember all these details for anyone. Neither are people very familiar with the concept of password managers. Therefore users end up using same user id and passwords for multiple accounts. The weaker the security control implementation from an account in question, more lax are the passwords set. Essentially, this means that, if an account permits a user to use email ID as login ID and password, they use it, without spending a thought on their safety. The thought of, “why will anyone hack into my account”, is so profound that we really don’t want to bother with following some basic security measures.

Also, we do not want to check the history of recent activities in our accounts. Gmail, Facebook etc. provide this facility. You can check from which browser, which city, your account was logged into last…you find a suspicious activity, report and change your password. It’s as simple as that.

So we bring to you some simple steps that one should follow while creating and using an account, to avoid falling a victim of these frequent hacks.

How to keep your account and passwords secure?

  1. First things first. There are multiple sites out there, encouraging you to create an account with them. Social media sites, e-commerce sites and many more. And the process of creating accounts is becoming simpler- enter your name, email ID and a password (a simple one, with no major permutation and combination required) and voila, your account is created.And then what happens? You soon forget all about them. Because seriously speaking neither do you need so many accounts, nor do you have the time to use them all.But how does this affect your security? You may ask. It does, because you will be sharing your email ID, you will be re-using the same user name and password in a more important account. Id this first account is hacked, the simple task the hacker has to do is search for your name on Google, see all the accounts in your name, and soon s/he will get lucky.Bottom-line: Create accounts only for what websites that you need, and no matter how lax the security measures they are keeping, you should use a strong password.
  2. If a website looks fishy, and is offering you a deal too lucrative, to make an account, please avoid it.If it sounds too good to be true, it probably is.
  3. Start using a Password manager. No, not all of them are paid. Yes, some of the best ones are free, so you don’t have to worry about keeping all your login details in a shoddy password manager. Read user reviews, choose one, and then use it.
  4. We read it everywhere, tell others about it, but don’t follow. Use unique passwords for all your accounts. Make them a combination of letters in small and upper case, numbers, and special characters and keep them of appropriate length.Use proper combinations. A password fulfilling all the above criteria, “Hello$1234”, is still a weak password. Use random words or words that make no sense and are in no way related to you.No pet, friends or siblings name please. Our lives have become so open on social media today, that guessing one of these is a cake walk.
  5. When keeping security questions for accounts, especially on banking websites which have this feature, lie.Yup, lie. Why? Let me show you:Best friend’s name- can find on social mediaPet’s name- can find on social mediaMother’s maiden name- yup, still can findPlace of birth- Everyone knows that!These are few examples, you can answer the rest by yourself.But if you lie, how will you remember them? You can copy them on your PC or phone…NO!Never ever save passwords on any device in plain text, encrypt them, always.But what you can do for the problem in hand is, this:Best friend’s name- how about naming the girl/boy you so hated in school! That must be a secret.Pet’s name- Neighbor’s name can work, right? (Sorry! Am just trying to help)Mother’s maiden name- An actress’ name or surname or place name!

    Place of birth- Put one of the places you always wanted to visit, but not the one you most like. Random, remember.

  6. Two factor authentication- use it, please. It helps, keeps your account safe, and in case anyone tries to do a mischief with your account, you are notified.
  7. Check your ‘recent activities’ history periodically. Anything out of ordinary, change password, dig deeper and get it fixed.
  8. Do not click on any suspicious links on your social media network, emails or download any unknown documents. These can download malwares on your devices and monitor all your activities in stealth mode.
  9. Do not share your passwords with anyone. You might share it in good faith, the person might take it in good faith, but might not keep it safe enough. The only way for two people to keep a secret is, if one of them is dead, and the only way to ensure that your password is known only to you, is to never share it with anyone.
  10. Change your passwords regularly. Banks force you to do that, other websites don’t, but it’s important that you do this without anyone twisting your arm to make you do so.
Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.