Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Google password Exposed  (Read 918 times)

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5347
Google password Exposed
« on: December 03, 2020, 09:19:50 PM »

Out if the blue got an email from Google, saying "Someone knows your password", please change it.  Turns out it was referred to an ancient account, but one that was still forwarding to me.
I had a devil of a job logging in, probably as I was getting the password wrong but eventually got a recovery code and logged in, changed the password.

Under account management, it lists recent security events including, earlier today... 

"Password exposed in non-Google data breach".  :-\

Anybody know what's going on?  Anybody else affected? 

Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4042
Re: Google password Exposed
« Reply #1 on: December 03, 2020, 10:24:16 PM »

One of the staff at work had this today, it referred to their company email address, I'm not sure why though.

The email seemed as far as I could tell to be genuine, and googling seemed to find many others that were confused by it, and considered it genuine.

I suggested they spoke with our iT provider, and followed a link I supplied to their Google notifications to see if it gave any further information.

PS I am aware that Google checks the passwords it knows against lists of compromised password's, and then informs the user. I can see this happening with passwords associated with Google accounts, but a company email which is nothing to do with Google???
« Last Edit: December 03, 2020, 10:27:05 PM by Ronski »
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5347
Re: Google password Exposed
« Reply #2 on: December 03, 2020, 10:39:41 PM »

It was genuine OK, as I could see the evidence in logged in account settings.

Curious thing is, it's an account I set up when I got an Android phone, to avoid using my regular email account for Android login.  Don't think I used it for any other purpose other than logging in on that Android phone, which I have long since abandoned.   I may be wrong but I don't recall using that email address, let alone the password, for any other purpose whatsoever.  If the address & password really have been leaked, it would suggest a probability that it's Google themselves who have been breached.   :o

Oh well we'll soon find out.  It will probably be in the news quite soon if that proves to be the case.  ::)

More likely, I've just forgotten using it for some other silly thing.
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5347
Re: Google password Exposed
« Reply #3 on: December 03, 2020, 10:50:07 PM »

PS I am aware that Google checks the passwords it knows against lists of compromised password's, and then informs the user. I can see this happening with passwords associated with Google accounts, but a company email which is nothing to do with Google???

Ah, I didn't know that.  I wonder if maybe they just check the passwords, disregarding usernames?

The password in my affected account was not particularly strong.   I am prepared to believe that out the hundreds of billions of people on Earth somebody else used it too, and maybe their login/password combo at some site got compromised.   But that would be no reason for Google to panic me by suggesting that one of my own accounts has been breached!   :'(
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4042
Re: Google password Exposed
« Reply #4 on: December 04, 2020, 07:57:52 AM »

It's a very poor email that really lacks any explanation, but it implies the password is available in password lists, so it is entirely possible that someone else had used the same password.

Perhaps try the password here https://haveibeenpwned.com/Passwords it will tell you how many times it's been leaked, but unfortunately not where.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5347
Re: Google password Exposed
« Reply #5 on: December 04, 2020, 08:21:52 AM »

Perhaps try the password here https://haveibeenpwned.com/Passwords it will tell you how many times it's been leaked, but unfortunately not where.

Not leaked, according to that link.

But even assuming Google know better and are correct, why should I care that some other person used the same password and that it leaked?   It doesn’t put any of my accounts at risk as I’m not the person who got hacked, the password/user combo that leaked is not associated with any account that I use.

I lost a couple of hours last night stressing over that email, and ‘rescuing’ an account that I now think was perfectly secure all along.  I’ve not slept well either, being stressed at bedtime.   Thanks for nothing, Google. :'(
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5347
Re: Google password Exposed
« Reply #6 on: December 04, 2020, 09:48:11 AM »

PS:  Just realised I have broken into a grump (not at anybody on the forum) without saying 'thanks' for the help I was given.

Belatedly... Thanks, Ronski. :)
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4042
Re: Google password Exposed
« Reply #7 on: December 06, 2020, 03:58:57 PM »

Not leaked, according to that link.

But even assuming Google know better and are correct, why should I care that some other person used the same password and that it leaked?   It doesn’t put any of my accounts at risk as I’m not the person who got hacked, the password/user combo that leaked is not associated with any account that I use.

I would have thought it would have shown up on that site if it had been leaked, but perhaps Google do know better. It doe's put you're account at an increased risk though, you probably know this, but they may well not have the email/username/password combination, but the leaked passwords all go into a dictionary list available for sale on the dark web (where ever that is), these dictionary's are then used against accounts, and if your username or email (https://haveibeenpwned.com/) has been leaked previously, somebody somewhere may just try the correct combination. So any password that has been leaked shouldn't be used, mind you I'm not sure I'd want to put my password into a website just to check if it's been leaked previously, and that's just one reason why I use unique to me, long, and completely random passwords nowadays.


PS:  Just realised I have broken into a grump (not at anybody on the forum) without saying 'thanks' for the help I was given.

Belatedly... Thanks, Ronski. :)

No problem, and thanks.
« Last Edit: December 06, 2020, 04:01:20 PM by Ronski »
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5347
Re: Google password Exposed
« Reply #8 on: December 06, 2020, 06:38:34 PM »

Cheers again, Ronski.

My thinking is that a targeted hacking attack on a specific individual may possibly benefit from a list of known passwords.  It’d take some effort, but might succeed.    I’m not convinced it would be much benefit to random attacks on random people.  Even if an occasional random account was successfully hacked, the trophy would be unlikely to be of sufficient value to justify the effort. And with each random person the hacker attacked with such a marathon assault, he would risk getting caught.

So, I were a head of state likely to be targeted by bad guys, or a criminal mastermind likely to be targeted by good guys, being on a passwords list might worry me.   Actually though I am of no importance whatsoever, so I tend not to worry too much about targeted attacks.

My main gripe was the Critical Security Alert email, saying “someone else knows your password”.  Surely  it should really have been entitled Low Priority Advice, reading “someone knows somebody else’s password,  and it is the same as yours“

More importantly perhaps, in order for Google to identify this situation it would seem that they are storing the original text of my password on their servers.  I’m not all that clued up on such technology, but I thought storing password texts was a No,No?   :o
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 9750
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick
Re: Google password Exposed
« Reply #9 on: December 06, 2020, 08:36:23 PM »

I have read about publicly accessible databases of passwords and user accounts that have been exposed in a security breach in some system or other. I have a tool that will search these and tell you whether or not your details fit one such exposed known entry.
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4042
Re: Google password Exposed
« Reply #10 on: December 06, 2020, 09:54:25 PM »

7LM, I know what your saying, but, I'm a nobody, who just works for a local haulage and removals firm, nothing special, but when someone somewhere discovered my RDP port open at work they put quite a bit of effort into trying to log in. Trying well over 30,000 username and password combinations from multiple IP addresses. I've no idea how long they'd been trying because Windows event viewer only stores around 32,000 events, so it could have been hundreds of thousands of attempts, all automated of course, just lucky they never hit the right combination.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5347
Re: Google password Exposed
« Reply #11 on: December 06, 2020, 10:02:04 PM »

Maybe I am, indeed, too laid back. :)
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4042
Re: Google password Exposed
« Reply #12 on: December 06, 2020, 10:16:58 PM »

Perhaps  :P;D
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

d2d4j

  • Kitizen
  • ****
  • Posts: 1034
Re: Google password Exposed
« Reply #13 on: December 07, 2020, 07:22:19 PM »

Hi

There are reasons why bad people want to hack accounts.  Most people are not perhaps like yourselves and use different passwords for different accounts, so hack 1 and you more likely to have access to other accounts as 1 example, another example is a coordinated attack/ddos

I think I have posted previously in other threads, about an attack at a clients which we stopped dead, leaving all the tools and files they uploaded (you would have to see it to believe it... including virtualisation software) and 1 file which was a text file called 885k - contained I guess 885 thousand usernames and passwords with all email providers and was to be used to send emails by those providers from the compromised system at our clients...

So whilst some may view the hacking of a system from a nobody, others view with larger plans of use

Ronski - all systems come under attack every second of ever day - on our systems you can be locked out as we cannot derive that it is genuine or not, so a lockout is implemented on the basis if it was you genuinely, you woudl make contact by other means :)

Many thanks

John
Logged