Gmail users have been advised to check their accounts after it was reported that over 183 million passwords were stolen in a data breach.
Troy Hunt, the Australian cyber expert who revealed the breach, has described it as a “vast corpus” of breached data, totalling 3.5 terrabytes.
The incident took place in April but has only just been reported on Hunt’s Have I Been Pwned (HIBP) website.
He said that breached data contained 183 million unique email addresses, as well as the websites they were entered into and the inputted passwords.
How do you know if you’ve been impacted?
In order to check if your data has been breached, go to the Have I Been Pwned (HIBP) website and enter your email address in the search bar.
Next, click the ‘Check’ button and the website will show you the data breaches affecting your email address.
The website will show you data breaches you were involved in over the past decade.
What should you do if your details were breached?
If you were affected by the most recent breach, you should change your password as soon as you can.
It’s also advisable to set up two-factor authentication which will send a code to your smartphone in order to access your online accounts.
Hunt explained that passwords associated with your email address that you use on other websites such as Amazon, eBay and Netflix may also be compromised.
He said: “Stealer logs expose the credentials you enter into websites you visit then login to.”
For this reason, you should change your password on any other platform you use to access it.
It may also be worth considering how you can maximise your security in the future.
Graham Cluley, a computer expert and security blogger, told the Daily Mail, that people should “always use different passwords for different online accounts.”
A strong password is a minimum of 16 characters and will include a mix of capital and lowercase letters, alongside numbers and symbols. Cluley advises that users set up a password manager to store these long passwords.
What caused the breach?
The incident is not a one-off breach but an amalgamation of “stealer logs” – several data files generated by “malware” (malicious software), Hunt says.
“Stealer logs are more of a firehose of data that's just constantly spewing personal info all over the place,” Hunt wrote in a blog post.
“Once the bad guys have your data, it often replicates over and over again via numerous channels and platforms.”
The identity of the individuals associated with the malware is not yet known.
A Google spokesperson said in a statement: “This report covers known infostealer [malware] activity that targets many different types of internet activity. There is not a new, Gmail-specific attack at play.
“We protect users from these attacks with layers of defences, including resetting passwords when we come across credential theft like this.
We encourage users to boost their own defences by turning on 2-step verification and adopting passkeys as a simpler and stronger alternative to passwords.”
