Following the news of a vast breach of Google's servers that resulted in an alleged 5 million email addresses being hacked, various websites were suggesting that readers should check whether they had been victims by entering their email addresses into "checking tools" – websites that can determine whether an email address is in a list of hacked credentials.
The problem is, some of these checking tools weren't as legitimate as the websites linking to them might have hoped…
5 Million Email Addresses: The Truth
Reported at the time as a massive leak of 5 million Gmail account usernames and passwords, it soon transpired that the story was, well, just that: a story.
Explaining it a little later, Google revealed that less than 2% of the username/password combinations were accurate, and that their own login security tools would have caught the majority of those.
They also clarified that the credentials weren't hacked from their own servers, but from other websites:
It’s important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems. Often, these credentials are obtained through a combination of other sources.
For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others.
So, a Gmail account picked up in a previous breach – high profile or otherwise – could have been one of those in the data dump of credentials in the hands of the "hackers". Essentially, information that might have already been online in one form or another, Gmail accounts cribbed from several sources.
But how did this story go mainstream so quickly? Probably with the help of a big, round number like 5 million, and the clever string pulling of the hackers who posted the account passwords on a Russian Bitcoin forum. Throw in an online checking tool that confirms whether your own email account is in the dump, and you've got a big news story.
Of course, it seems likely that isleaked.com is not the website people thought it was.
How A Fake Hacked Email Account Checker Works
Checking an email address against a database (which might be SQL, Access or even a text file) of hacked email accounts is relatively straightforward. Combined with an easily downloaded script, such a website could be setup in 30 minutes or so.
Troy Hunt, meanwhile, has a much better approach, which is why you should be using his site to check for the leaking of your credentials whenever you read or hear of an account hack.
As explained on his blog, Hunt has built Have I Been Pwned?, a legitimate website (Hunt is a Microsoft MVP for Developer Security) designed for average users to type in their email address and find out whether or not they have been hacked. Using data submitted to sites like Pastebin.com, it even tells you which breach is responsible for your email account's presence in its database.
Looking For A Legitimate Hacked Email Account Check?
When the results are displayed, the site displays the name of the website that your account details were leaked from. Hopefully, that site would have emailed you privately or made an announcement.
(Of course, should you be concerned that your email account has been hacked, you should change your password anyway. Remember to make it secure and memorable.)
As you can see from the image above, my email account was one of the many retrieved in the massive Adobe breach of 2013. You should use the information Hunt's site provides to act immediately, although be aware that even when your password has been changed, your email address will remain on the site.
If practical, changing the email address you use with your online accounts might also be worth considering.
Due Diligence Should Not Be A Thing Of The Past
A vital element of journalism is due diligence; the checking of facts. Simply regurgitating press releases is not enough. Any writer, whether churning out content for $1 per 1000 words or salaried to a top name in publishing can do that.
Unfortunately on the World Wide Web, it doesn't happen enough.
A few minutes of fact checking would have shown that the 5 million addresses claim was a fabrication. As we reported at the time, the addresses had been cribbed from a collection of previous leaks. The Russian hackers were able to collate a list rather than breach Google's security.
Of particular suspicion, meanwhile, was the site recommended by many websites to check emails, isleaked.com. Curiously registered just two days before the leak, in Russia, its sudden existence was either hugely fortuitous, or planned.
As I always say, there are no coincidences in online security.
After all, what better way to confirm the list of addresses you're claiming to have hacked than to get the account owners to verify whether they're still using them or not? It's the modus operandi of spammers – dead addresses are worthless, which is why many spam emails ask you to respond. Your response is logged and the address retained.
The leak email checker isleaked.com could easily be a more sophisticated approach. While they claim:
We don’t collect your emails, URLs/IP addresses, access logs nor check results. Either we don’t do anything harmful with your device during the test!
...there is little reason to trust the site. Troy Hunt, who has a reputation to uphold, explains how his site works, so it makes sense to use it.
The Verdict: Don't React Without The Facts
What we can learn from this is that no one should act upon claims of data breaches and hacks without possessing the full facts. There are simply too many variables to take into account.
With the Gmail hack claims, it seems a safe assumption that the alleged hackers were simply verifying their collection of addresses, presumably used in various spam campaigns.
Some were genuine, others long expired.
The best website for checking whether your email has been hacked and found its way onto a site like Pastebin.com is haveibeenpwned.com.
Ironically, as far as the 5 million Gmail addresses that were supposedly hacked from Google are concerned, it was the technology press that was truly pwned.
Rob Hyrons via Shutterstock