A list of almost 5 million combinations of Gmail addresses and passwords was posted online on Tuesday. But the passwords seem to be old, and they don't appear to actually belong to Gmail accounts. Instead, it seems that many of the passwords were taken from websites where users used their Gmail addresses to register, according to some of the leak's victims as well as security experts.

For example, someone might have signed up for a website with the username "myaddress@gmail.com" and the password "mypassword." The list exposed this week makes it look like "mypassword" is the password for the Gmail account itself, but the user's actual Gmail password might be totally different.

The list was posted on a Russian Bitcoin forum on Tuesday evening, and local media started reporting on it on Wednesday. We can't confirm the authenticity of all the email addresses on the list, but a Mashable employee, Evan Engel, saw that his old Gmail password, which he hasn't used in years, is part of the leak.

A Google spokesman told Mashable that the company has "no evidence that our systems have been compromised," and security experts seem to agree that the passwords are either old Gmail passwords obtained through phishing, or are passwords that were actually used on other sites.

Matteo Flora, a computer security expert, reviewed the dumped file and found that around 60 email addresses were in his address book. After he alerted those people, 30 of them told him that the password either was never used for their Gmail accounts or was very old, Flora told Mashable.
Chester Wisniewski, a senior security adviser for security firm Sophos, told Mashable that he expects many of these accounts not to be valid. "There is no honor among thieves as they say, and often stunts like this are released as a sad attempt at gaining credibility among other criminals," he said.
Several Reddit users also confirmed that they found their email addresses in the leak, but that the associated password has never been their Gmail password.

To check if your password was one of the leaked, plug your Gmail address into this trusted tool from KnowEm. Alternatively, if you aren't comfortable giving out your email, you can change all your passwords now. Simply type your email address into the IsLeaked tool to see if your account has been exposed.

However, the tool is not without controversy. Life Hacker actually isn’t promoting it anymore after it said it discovered the “tool” was made public just two days before the Gmail leak was reported.


Google said in a blog post late Wednesday that "less than 2% of the username and password combinations might have worked," adding one more reason not to overreact to this dump.
Google also said that it has contacted the owners of the affected accounts "and have required those users to reset their passwords." So if you haven't heard back from Google, you should be fine. (Though periodically changing your password isn't a bad idea, and two-factor is a must.)

Meanwhile, more security experts seem to agree that the leak is probably almost entirely made of old passwords tken from previous leaks and dumps. Whoever put this particular one together, probably "concatenated several dozen dumps" and then published only the Gmail usernames and password combinations he found, said Jeremi Gosney, the co-founder of PasswordsCon, a hacker conference focusing specifically on passwords and other methods of authentication.