Is Your Gmail Account Among 42 Million Leaked Credentials?

Christian Cawley 09-05-2016

Reports that a massive leak of webmail accounts includes a huge number of credentials never seen before has been met with a mixture of panic… and doubt. How accurate is the news, and could your Gmail, Hotmail/Outlook or Yahoo Mail credentials be in the mix?


272 Million Unique Email Addresses

No, there’s nothing wrong with your eyesight. It really does read “272 million”. That’s the total of unique pairs of email addresses and passwords obtained from a hacker by Hold Security, an information security firm who previously obtained a collection of 1.2 billion names from Russian cyber gangs in 2014 Russian Hacking Gang Captures 1.2 Billion Credentials: What You Should Do Read More . it would seem, then, that the company has good form in this area, and can be considered reliable.

But we’ll come back to that.


The figure of 272 million is indeed high, and is apparently a collection of accounts from Gmail, Hotmail, Yahoo Mail and, a Russian and Eastern European webmail service. Hold Security claim that of the 272 million accounts, 42.5 million are new — they’ve never been included in any previous data breaches.

If true, this puts the leak up there with some of the biggest of all time, such as the massive leak of 150 million Adobe user accounts and the insanely damaging Ashley Madison leak Ashley Madison Leak No Big Deal? Think Again Discreet online dating site Ashley Madison (targeted primarily at cheating spouses) has been hacked. However this is a far more serious issue than has been portrayed in the press, with considerable implications for user safety. Read More .


As with all big leaks, you can find out if your credentials are in the hands of hackers by paying a visit to This site, featured previously on MUO, is a searchable database of data from all of the biggest hacks. If you find your credentials in there, and recognize the password as a current one, it’s time to change it. Meanwhile, if the account is now unused, it’s worth closing it.

Now, what about these 42 million accounts?

Who Leaked the Data?

The story behind this leak seems shrouded in mystery. Hold Security’s blog post on the matter suggests that they were contacted anonymously with over 900 million credentials collected from multiple breaches over a period of time, a 10 gigabyte file in total.

We don’t know the person who leaked the data, other than he is described as “this kid from a small town in Russia” and that he was paid in social media likes. No, really.


How Data Breaches Can Be Used by Hackers

So what does it mean, really? How can anyone make use of 10 gigabytes worth of leaked email credentials? Well, give it some thought: how many websites do you log into with your email account?

Speaking to the BBC, Milwaukee-based Hold Security’s chief information security officer, Alex Holden, explained how “there are hacker sites that advertise ‘brute forcing’ popular services and store fronts by taking a large amount of credentials and running them one-by-one against the site.”

One by one, password after password is being attempted on services like Amazon, eBay, perhaps Xbox Live and PlayStation Network, using the brute force technique What Are Brute Force Attacks and How Can You Protect Yourself? Yyou've probably heard the phrase "brute force attack." But what, exactly, does that mean? How does it work? And how can you protect yourself against it? Here's what you need to know. Read More , demonstrated here:

Worse still, the credentials have probably been shared around the world by now, Holden admits:


“What makes this discovery more significant is the hacker’s willingness to share these credentials virtually for free, increasing the number of… malicious people who might have this information.”

But security breaches can also be used by security companies. Back in 2014, Hold Security attempted to cash in on the breach it reported that time around, offering a subscription service to website owners (but not individuals). Some researchers claim that their previous moment in the spotlight was a case of style over substance, but Holden denied this was the case, claiming to be “actually losing money. We’re not trying to do it for publicity at all from the perspective of profiting, we are not pushing our services. In fact, we’re trying not to go broke.”

Whether you believe Holden isn’t the point, however. The point is that the leak includes data that could be yours. What can you do about it?

I Should Change My Password, Right?

If you’re the owner of a Hotmail, Outlook, Gmail, Yahoo Mail or account, you’re probably thinking that right about now is the best time to change your account password. Well, for a moment, hold your horses. Renowned security researcher Professor Alan Woodward told the BBC that “there was ‘no need to panic’ or for people to change their passwords at this point.”

Now, we’re not saying that you shouldn’t change your password; you’re free to do so at any time, as it is your account. However, if the breach is as serious as it is being claimed, your webmail provider will be requiring you to change your password the next time you attempt to login.



Prof. Woodward is being quite canny here, advising users to wait for instructions from their webmail provider. Why? Well, for a start off, it’s Gmail, Hotmail/Outlook, Yahoo Mail and who have the resources to investigate the legitimacy of the breach, and it is those companies who have the power to initiate mass password resets.

Additionally, webmail providers have tools in place to detect suspicious logins. All in all, they have the situation under control.

The Threat of Phishing and Spam

A big problem with high profile security breaches is that they bring with them additional threats. Like pilot fish, criminals are never far from the big payout, ready to collect the scraps that are cast aside. There is a big threat from phishing following this particular piece of news.


First of all, if you use Gmail, Hotmail or Outlook, Yahoo Mail, or, you may notice an increase in spam email messages. Some may come from new sources, and be difficult for your webmail provider to deal with in the usual way (that is, keep it in the spam/junk folder, out of your sight). As a result, extra vigilance is necessary.

Perhaps most importantly, you need to be aware of the likelihood of phishing emails How to Spot a Phishing Email Catching a phishing email is tough! Scammers pose as PayPal or Amazon, trying to steal your password and credit card information, are their deception is almost perfect. We show you how to spot the fraud. Read More claiming to be from the webmail provider, asking you to click a link to reset your password. The link, of course, will be to a spoofed website How Scammers Target Your PayPal Account & How To Never Fall For It PayPal is one of the most important accounts you have online. Don’t get me wrong, I’m not a huge PayPal fan, but when it comes to your money, you don’t want to play around. While... Read More , ready to collect your current credentials.

None of the webmail providers concerned are likely to send you an email of this type.

Stay Secure, and Avoid Phishing Emails

We seem to be living in a golden age of security breaches (for the hackers, at least), and it shows no sign of letting up. As long as there are online systems, and a profit to be made, there will be people with the skills and motivation to breach those systems.

Combating this requires better vigilance from the businesses and services we share our email addresses and personal details with; it also need us to be alert to the threats, and how they might be executed. Spam emails, phishing, spoof websites – they’re all likely attack vectors heading for your inbox.

How do you feel about this latest security breach? Are you becoming tired of hearing about online leaks that could be avoidable with tighter security in place? Tell us what you think – start the conversation in the comments box.

Image Credits: stealing a purse by Volkova Vera via Shutterstock, Brian Senic via, JMiks via

Related topics: Hacking, Online Security, Password, Security Breach.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. futureofcultures
    January 9, 2017 at 2:07 am

    No doubt part of the neo red scare by the globalists, anything and everything to create hate towards russia and public support for starting ww3. More Fake new about russian hackers check... Thankfully the person who build up histories most sophisticated illegal spying system on his own people and a puppet for the globalists will be gone.

  2. Tom
    December 31, 2016 at 5:05 pm

    Hotspot shield doesn't work

  3. Alex
    September 17, 2016 at 1:33 pm

    BUFFERED VPN Also works great for Netflix US

  4. Anonymous
    August 18, 2016 at 8:24 pm

    GMAIL customer service phone number +1–844–445-4480 this is for united states for other countries you may also contact through skype and by this number

    1600 Amphitheatre Parkway in Mountain View,
    Santa Clara County, California, United States, near San Jose

  5. Greg
    May 19, 2016 at 1:04 pm

    Bad SEO whoring going on right here.

    • Christian Cawley
      May 19, 2016 at 1:33 pm

      Greg, we clearly need your expertise in these matters.

  6. rk
    May 18, 2016 at 7:49 pm

    Pardon me but doesn't the article tell us to go to to check if our credentials have been leaked? I found that my yahoo email was involved in Adobe and Forbes leaks. Interestingly, I don't recall yahoo asking me to change my pwd after these breaches occurred. I have a very tough pwd that no one can guess but it's used in some other sites as well.....should I change my yahoo pwd then based on this site's info that mine was compromised? Constructive suggestions welcome, thanks in advance!

  7. Heather Bloomer
    May 17, 2016 at 4:19 pm

    Thanks for this post. Fortunately I'm in the clear for now.

  8. Ken Christie
    May 17, 2016 at 11:11 am

    I don't see the title as misleading at all. In fact it goes to the heart of the matter straight away.
    Thanks for the heads-up. Luckily I'm not one of the hacked, not using any of the e-mail services quoted, at least not for this account ! - although I DO use gmail, but no evidence of my accounts being hacked. No spam to main accounts and no more than usual to less used accounts...................

  9. Ree
    May 12, 2016 at 2:11 pm

    Quit complaining millennial wusses !! She gives a link to go find out if you were hacked. Thanks for taking the time to give us all the information. From the looks of the cry baby's on here they would never take the time to help someone else cause it's " all about me" right boys?

  10. Dylan
    May 12, 2016 at 12:24 am

    this is,... scary. i hope my gmail wont be hackd

  11. Christian Cawley
    May 10, 2016 at 6:26 pm

    Hello. I've added in some additional information up top that goes some way towards answering the question in the title. Curiously a similar (briefer) version of this was in the original draft but it seems I cut it and didn't replace it.

    Thanks to everyone who has taken the time to leave a comment. MUO relies on your feedback, and I think this is a good example of how it can be applied constructively. Thanks again!

  12. Tim
    May 10, 2016 at 5:40 pm

    Having 2 factor Authentication in the way of sms assuming you service provider of email or whatever provides this additional layer of security is a critical must have in such a case.

  13. oddd
    May 10, 2016 at 5:14 pm

    what a misleading title. unsubscribing from your fb page.

  14. Ted
    May 10, 2016 at 3:10 pm

    Wow, I thought that I would find some means to find out whether my gmail-account was compromised. Turns out it's just a long article about a possible hack. A title could certainly be read in different ways, but this certainly suggests something that isn't there. Misleading is the proper word, I would say.

  15. Ron
    May 10, 2016 at 12:37 pm

    Gosh I came in to check if my email was one of them. What a misleading title!

  16. Anonymous
    May 9, 2016 at 11:52 pm

    imho this is why I signed up on Troy Hunt's website as it will tell me when my email address, domain name, or username appears in a leak.

  17. Anonymous
    May 9, 2016 at 10:11 pm

    This will only affect those who still use one password for all of her online accounts. This email database is just an archive of past leaks, so most of the data are old already. If Google/Yahoo/Hotmail already instructed you to change your password when these previous leaks happened, then you're already protected. No need to change it again.

    And yes, the title of this post is very misleading. Click-baitey if you will.

  18. Anonymous
    May 9, 2016 at 8:30 pm

    Based on the article title, I thought there might be a link to a database where you could find out if your credentials had been compromised. Not quite what I was expecting.

  19. Anonymous
    May 9, 2016 at 7:40 pm

    The title "Is Your Gmail Account Among 42 Million Leaked Credentials?" suggests that you are sharing a website/tool that will allow you to see if your email address was in the ones that were leaked.

    You are clearly not doing that in this post. So please change the misleading title. Something like "Truth about the leaked credentials" or something more appropriate.

    • Christian Cawley
      May 10, 2016 at 7:52 am

      Hi: title doesn't suggest that at all. While that might be one *possible* interpretation of the title, clearly it's not the case here.

      • Mike Pullen
        May 10, 2016 at 3:27 pm

        Christian, many folks are obviously defaulting to that "one possible interpretation" of the title-- I am one of those.

        If the intent of the article is to click-bait and frustrate folks, ignore our suggestion.

        However, if the intent is to clearly communicate accurate information-- consider that the title is *not* clear and accurate because it can be (and is being) interpreted in an unintended way. Blaming "us" for misreading is, at best, unhelpful.

      • Ethan Knight
        May 10, 2016 at 4:04 pm

        I completely agree with Mike and Shikhanshu, the title is incredibly misleading and falls directly into the realm of clickbait. If that was your intention, then bite me, but if it was an honest mistake that is leading the misinterpretation by 100% of the comment replies so far; you might want to fix it.