4M gmail addresses with passwords leaked (large html file, 150megs)

63 points by mr_november 8 years ago | 24 comments
  • nilved 8 years ago
    This is from 2014 and likely not a Google hack or leak but a subset of credentials revealed by hacks or leaks from other sites.

    https://productforums.google.com/forum/#!topic/gmail/4q3AYMi... and https://facepunch.com/showthread.php?t=1423764 refer to this link.

    Edit to add: https://haveibeenpwned.com/PwnedWebsites#BTSec

    • Karuma 8 years ago
      Indeed... My email is listed here, but it shows "password" as its password, which is completely false.

      I only use "password" in random websites that force me to register (but that I'll never visit again).

    • buckbova 8 years ago
      Caution, this is a link to the actual emails.
      • r1ch 8 years ago
        As a 150MB HTML file. Good luck, mobile users.
        • aaronpk 8 years ago
          Did not see that coming.
        • lechevalierd3on 8 years ago
          Yeah not sure why one would link to that file directly.
          • mr_november 8 years ago
            I've changed the title to reflect the size but there is no story here without the link. What would you have done? I ask not to confront but rather to learn.

            I didn't feel completely comfortable posting the link but thought it was better that it's out there (and it looks like it's not even new according to comments).

            • tmp_cURL 8 years ago
              To download, I used:

                curl https://pred.me/gmail.html -vo /tmp/pred.me.gmail.$RANDOM.txt
              There appear to be no malicous/unsafe <scripts/> at the moment. No HTML tags.

              Just one email per line, and a colon (:) delimiter for the password.

              The MD5 hash is:

                c1d5f3998459acea8d32937a4485c0b7
              Availability is spotty. The server is refusing connections, probably due to high load.

              The IP address resolved to:

                81.4.110.159
              I don't think the direct link is out of line. Some users might need guidance on how to safely inspect the file.

              In terms of HN community conventions and common behaviors, people will often submit a question like "Ask HN: Lorem Ipsum..." and then provide follow-up details in the message body, including relevant information, such as the details I've provided above.

              This way, if the owner of the resource at the address starts serving up malware, users can verify the content before consuming it.

              These are merely community memes though. Not any sort of auspicious, high-minded "best practices as prescribed by experts" or anything. Just some stuff a bro might do around here.

              Also, WHOIS info might be useful, if safety or malware is a concern...

              http://whois.domaintools.com/pred.me

              This doesn't preclude the domain owner having been pwnt and used as a patsy. Or even whether that person might have a valid reason for hosting the file?

        • coldcode 8 years ago
          I looked at the paste file. It had my gmail address (which is mostly what I use for public stuff) but the password came from only one place: travel.travelocity.com; however that user database is long gone as Travelocity is now just a brand of Expedia so that old account no longer exists. Of course I don't reuse passwords so it's not an issue. I wonder how it got there.
          • disposablename 8 years ago
            Probably passwords from other sites, not gmail. Lists my email next to a password I've never used on gmail, or any other important site.
            • Flammy 8 years ago
              I give this dump 12 more minutes until someone at Google uploads it to an internal tool to invalidate all of the emails listed.
              • acjohnson55 8 years ago
                Unfortunately, I wouldn't be shocked if someone out there had a tool that can escalate this exploit just as quickly.
              • rasz_pl 8 years ago
                fake, checked 3 gmails. not only are the passwords wrong, they are random garbage that was never used with those accounts
                • cuchoi 8 years ago
                  One returned me the error "You changed your password 5 months ago"
                • 8 years ago
                  • 8 years ago
                    • 8 years ago
                      • kafkaesq 8 years ago
                        Fascinating. Any thoughts as to how this came about?
                      • 8 years ago
                        • Sephr 8 years ago
                          Mirror?
                        • fiatjaf 8 years ago
                          Can anyone see if my name is in there?
                          • simcop2387 8 years ago
                            I'm sure it'll get added to haveibeenpwned.com fairly quickly. That said I'm trying to grab it for the same reason. If your email is in your HN profile I'll give it a check.
                            • r1ch 8 years ago
                              Pretty sure it's already there, looks like https://haveibeenpwned.com/PwnedWebsites#BTSec
                              • simcop2387 8 years ago
                                Oh nice, I missed it in there. Sometimes it takes an hour or so before I see new ones in there.
                              • milas 8 years ago
                                I got an email for it on Nov 25.

                                Subject: Yours is one of 4,788,657 email addresses found in a paste titled "pred.me"

                                At the time, it showed up on the "Latest Pastes" on HIBP, but I think it's aged out now.