5 Million Gmail Usernames and Passwords Leaked – Good Way To Harvest E-mails?

You probably heard this a gazillion times by now, I heard it many times too but I can’t help but wonder – are those really leaked?


I browsed many of the reports and all of them seem to be talking about the same thing, paraphrased here and there but none of them seems credible.

Being a web developer, the first thing that comes to mind is that those passwords were displayed in plain text. I do not think a company like Google would store passwords in their database AS IT IS without some form of hashing for added security. It’s a given these days, whether it’s MD5 or SHA hash or whatever ways of making passwords not something you can see just by browsing the database.

Secondly, there’s a whole lack of detail when it comes to the report like the ones from Yahoo!.

What? Those are just E-mail addresses using G-mail and with passwords – till date, no news on whether it’s actually from Google or some other sites that happen to have people register with Gmail based E-mail accounts. My take is that it’s most likely the latter, of which people registered themselves on site of shoddy workmanship.

Third – almost every other article mentioned “Representatives from Google”……

Representatives from Google and Yandex explained to CNews that the list of email addresses was created by combining lists of compromised email addresses from previous years, and that no new accounts had been compromised.

So how many people do you need to represent a company? Surely not more than 1. And to add to that point, there’s also no mention on WHO exactly are the representatives.

And lastly – the icing to the cake. Almost every other article – the introduction of “Leak checker” websites like “Is Leaked?”.


The site is as simple as it is and it says “We don’t collect your emails nor access logs.” and almost anyone who’s affected by “fear of leakage” accepts it wholesale!

For all I know, the owner of those sites could actually be harvesting every single E-mail address that’s entered.

A more credible looking site would be https://haveibeenpwned.com but I have my reservations, I don’t need more spam on my E-mail accounts.

Parting Words

Instead of using those “check for me!” sites to give you false assurance on security – how about putting some effort to actually SECURE your G-mail account?

Start by reading the guide from Google. After that, learn how to make secure yet easy to remember passwords.