Find out if your Gmail password was stolen

Update: From what has been gathered so far, it appears as if this is not a new hack, and that the list may have been created from different sources.

Today's big news is the release of a database with more than 5 million Gmail email account user information. The database appears to include usernames, passwords and email addresses of users and while it has not been confirmed as legitimate yet by third parties it has been made available publicly on the Internet.

It is for instance possible to download all leaked email addresses from the file hosting service Mega. While you will only find email addresses listed in the 100 Megabyte text document, it is enough to verify if your own Gmail email address is affected by the leak.

Downloading the email address and searching for your own email is probably the best option that you have to find out if you are affected. If you don't want to download the packed 36 Megabyte file to find out, you can also use third-party services such as Is Leaked on the Internet.

Update: removed the direct link to the site. Use the Mega download instead to verify if your email is on that list.

Here you need to enter your Google email address first to check it against the service's database. The service will notify you if the email that you have entered has been leaked or not. To confirm that the situation is dire, it will display the first two characters of the password as well which account owners can use to verify the claim.

Change your password

If your email is on the list, change your Gmail password immediately. This is the most important step and should come before any other steps that you can undertake.

1. Open the security page on the Google website.
2. Click on change password.
3. Enter your current password and the new password twice.

This blocks anyone from accessing your account with the old password. You may also want to sign out of all existing Gmail sessions. You find information on how to do that below.

Verify your account was not accessed

You may want to know whether your account has been accessed if your email address and user information are on that list. The best way to do so is to visit the official Gmail website, sign in to your account if you have not done so already, and click on the "details" link at the very bottom of the main screen.

This lists all recent activities sorted by data and time. For each activity, the access type, e.g. web browser or mobile, location and IP address are recorded which may provide you with additional hints.

Here you can also click on "sign out all other sessions" to block any other session that may be accessing your data at that time.

You may also want to check your Google account activity as well. Since it is possible to use a Gmail account to access other Google services, you may want to make sure that this did not happen as well.

Visit this page on the Google website to verify that all activities are legit.

Protect your account with two-factor authentication

You can improve the overall security of your account by enabling two-factor authentication. While you do need to add a mobile phone number to your account for that to work, it improves the security significantly by adding another layer of protection to the sign in process.

Attackers cannot use email address and password alone anymore as they do need access to the mobile phone number as well to check the code that is generated during the sign in process.

Here are a couple of links to get you started:

1. How to enable Google two-step verification
2. Use Google 2-Step authentication without mobile phone
3. Google account features you need to know about