Google has denied that a leaked list of five million Gmail addresses and passwords was the result of an attack on the company.
The list, which was posted on a Russian forum earlier this week but which now appears to have been cleaned of the passwords, purported to contain five million Gmail login credentials.
However, Google claims the list had been assimilated from attacks on other sites where the Gmail address was used as a login, and that the passwords weren't necessarily ever used to access Gmail.
We found that less than 2% of the username and password combinations might have worked. Many of those who have discovered their names on the list claim the passwords are several years old.
In the cases where the user had used the same password on the hacked site and Gmail, Google took the precaution of resetting the users' passwords.
"One of the unfortunate realities of the internet today is a phenomenon known in security circles as 'credential dumps' — the posting of lists of usernames and passwords on the web," Google stated in a post on its Online Security blog.
"We’re always monitoring for these dumps so we can respond quickly to protect our users. This week, we identified several lists claiming to contain Google and other internet providers’ credentials."
"We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords."
Google is urging customers to use strong, unique passwords on every site, and to use its two-factor authentication system - which sends a code to the user's mobile phone every time they attempt to log in from a new device - to prevent their accounts being compromised.