Your Gmail Probably Wasn’t Hacked. But That Doesn’t Mean You’re Safe.

Less than 2 percent of the stolen passwords actually worked for active Gmail accounts, Google says.

Less than 2 percent of the stolen passwords actually worked for active Gmail accounts, Google says.

Screenshot / Google Security Blog

Several tech blogs on Wednesday reported that hackers have leaked some 5 million stolen Gmail passwords to a Russian forum. That’s not quite right.

What’s true is that hackers appear to have leaked some 5 million stolen passwords to a Russian forum, each with an associated Gmail address. That might sound like the same thing, but it isn’t. While the emails are clearly Gmail addresses, the passwords could be passwords for anything, and they may or may not be current.

For example, in theory, some could be passwords stolen from a service like LinkedIn or eHarmony in a notable hack two years ago—passwords that happened to be linked to people’s Gmail addresses, but were not necessarily the same ones those people actually used to log in to Gmail. In that case, it would be inaccurate to call them Gmail passwords.

In fact, Google told me Wednesday afternoon that it responded to the leak by quickly checking all of the stolen credentials to see if they actually worked as Gmail account logins. It found that only 1 to 2 percent worked for the service. And the company responded by immediately securing those accounts and prompting their owners to change their passwords. Finally, Google reported that its own systems were not breached in any way.

Google has also just published a blog post reiterating these points. If Google is right, then virtually no one’s Gmail account should be vulnerable at this point. Still, the company has rolled out a new feature called Account Checkup, which you can use to quickly make sure no one suspicious has logged into your account lately. It will also prompt you to update your password recovery information and check what other apps you’ve given access to your account. You can find the tool here.

The most likely hypothesis I’ve heard is that they’re actually passwords cobbled together from all sorts of hacked sites across the Web over the years. Perhaps some industrious hacker assembled such a master list and then filtered it down to a list of only those in which the username happened to be a Gmail address. This would fit with the news that hackers have recently leaked similar lists for users of the Russian email services Yandex and Mail.Ru. I wouldn’t be surprised if we soon see a list of stolen passwords that correspond only to Yahoo Mail accounts, or to Hotmail accounts.

So if anything, it might be your other accounts that you need to worry about most in the wake of the latest password dump. If your email address and a password are floating around on hacker forums right now, it’s a good bet that someone somewhere will be trying to plug those credentials into a wide range of popular websites, just on the off chance that they’ll work.

The best steps you could take in response, then, are the same basic steps that everyone always recommends you take:

  1. Make sure your passwords are strong.
  2. Make sure you’re using a different one (even if only by one or two characters) for every important site.
  3. For the very most important ones, like your primary email account, your bank, and maybe your Dropbox or iCloud, make sure you’re changing them on a semi-regular basis—and that you have two-factor verification enabled. That way, even if hackers get your password, they won’t be able to log in to your account without access to your phone.

I know, I know: Managing passwords is a hassle. But so is having your identity stolen—or your naked selfies.

Previously in Slate: