Should You Trust a Site to Check If Your Gmail Password Was Leaked?
Hours after it surfaced, James Watt, an IT professional, questioned the site’s legitimacy by pointing out it had been created two days before the Gmail addresses leak. His main criticism missed the point. The site had been created after a similar leak earlier this week involving email addresses and passwords pertaining to Russian providers Yandex and Mail.Ru, according to IsLeaked’s owner, who declined to give his or her name to Mashable.
But Watt stood by the main point he was trying to make.
“I strongly discourage giving your information to any third party that claims to check your security for you,” he told Mashable.
The problem, he argued, is that you don’t know who you’re giving it to, and for all you know you might be sending your email to the same hackers who put out the list or someone else who is harvesting emails to sell them to spammers or get new, fresh email addresses to try to hack. Others on Reddit seemed to share his concern, and someone even created an open source “private” tool that checks the database of leaked emails without sending the address over to the site.
There is no indication IsLeaked was a nefarious site, and at first look, it seems to be legit. But Watt, according to security experts, does have a point.
“It’s sensible to be a little bit wary about who you share your email address with,”
“It’s sensible to be a little bit wary about who you share your email address with,” Graham Cluley, a noted security expert and blogger, told Mashable.
Imagine that this, or another site, is indeed run by bad guys. By harvesting their email addresses, the bad guys can amass a huge database of “folks that they know are concerned about whether their accounts might have been hacked,” Cluley said.
The risk in such a scenario is that the bad guys could send out spam or phishing attempts to those addresses, scaring users into believing their accounts had been hacked, Cluley explained, and tricking them into doing something unsafe — perhaps even something that tricks them into giving away their password.
What should concerned users do then?
In this case, Gmail actually said it forced the people whose password was indeed on the list (“less than 2%” of the 5 million), to reset their passwords. So there’s actually no need to check if your email is on that list anymore. If you haven’t heard from Google, you should be fine.
think twice before giving out your email address, and be on the lookout for any spam or phishing attempt.And if you’re concerned, just change the password and turn on two-factor authentication, said Chester Wisniewski, a senior security adviser for Sophos.
If you really want to use a site to check if you are among the victims, Cluley points tohaveibeenpwned.com, a site run by Troy Hunt, a security expert and software engineer. The site let’s users check if they’ve been victims not only of this leak, but also of several past ones like the infamous Adobe leak, which exposed more than 150 million accounts.