Thursday, 11 September 2014

GMail usernames and passwords published online

Yesterday we heard that around 5 million GMail accounts had potentially been expose online. No University of Sheffield accounts have been affected and Google have confirmed that the accounts have not been hacked. So no need to panic.


It’s very rare that a major email provider such as Google (gmail.com) or Microsoft (hotmail.com, live.com) has their password databases compromised. And further investigation quickly showed that it’s very unlikely that Google had been hacked. It is much more likely a collection of GMail accounts harvested from other websites and this has now been confirmed by a Google spokesperson.


This event re-emphasises how important it is that you never re-use your University password for any other online service.


If you have ever reused your University password for another service now is the time to change it! We’ve updated our rules so that University passwords are easier to choose and potentially stronger than ever.


Alongside phishing, the hacking of external websites is the most common cause of accounts compromise at the University. When your University account is compromised it exposes your sensitive information and any University data you have access to.


Recently we have seen hundreds of millions of accounts exposed worldwide including some very big names such as eBay, Adobe and Forbes. With each major breach we find that a small number of people from the University of Sheffield have reused their username and password to sign up for external sites. It’s fine to register using your University email address but never reuse your University password.


Managing multiple passwords can be difficult. We suggest committing your most important passwords (e.g. University, banking, email) to memory and then using a password manager for the others. There are some really good tools out there such as LastPass, 1password and keepass. It’s really important that you choose a password manager that fits with your needs (e.g. supports mobile devices, supports Windows/mac) and follow their security advice carefully, a good article on password managers  can be seen on LifeHacker.


If you choose to use a password manager, make sure you choose a really strong master password as this is what gives access to all of the accounts you have stored.


You can check to see if any of your accounts might have been compromised at sites such as https://breachalarm.com/ or https://haveibeenpwned.com/. https://isleaked.com/en allows you to check for gmail accounts affected by this most recent breach.

Google Online Security blog
Cleaning up after password dumps