Were Your Google Credentials Leaked?

By September 12, 2014 Security News 31 Comments

Early on Tuesday, Google announced that a potential 5 million usernames and passwords associated with Gmail accounts have been leaked. It is unclear how many of them are current vs. outdated credentials. According to Google’s blog post“less than 2 percent of the username and password combinations might have worked.”

Visit our email look-up tool to see if your account was part of the leaked data.

We strongly suggest that you take this opportunity to change your Gmail account password and generate a new, strong password using LastPass. To protect our users, those who have reused their LastPass master password as their Gmail account password have been temporarily deactivated. For your security, note that it is very important to never use your LastPass master password for other logins.

If you’ve experienced trouble with your account, please contact LastPass Support so we may assist you in reactivating your account and creating a new, stronger master password.

Be Secure,


  • Anonymous says:

    How would you know if a master password was reused for a gmail password? You aren’t supposed to know my master password…

    • Anonymous says:

      I would guess that they tried logging into LastPass with the leaked gmail credentials, and if the login was successful, they locked the account out (so no one else could do the same thing)

    • Amber Gott says:

      We use a hashing system to perform this operation locally on your device, so that the “check” can be run securely and without transferring any data back to LastPass.

  • Anonymous says:

    LastPass, please be transparent on how googlemail.com addresses (former domain name which Gmail had to offer in Germany for many years due to legal reasons) are handled by the tool. Looking at the result, it’s unclear as to whether such addresses are supported.

    If I type in my googlemail.com address, the tool claims it’s not a gmail address. So if I specify the corresponding gmail.com address and it tells me it’s not found, is that because

    (a) LastPass knows that Google has been treating the two domains identically (that is, @googlemail.com and @gmail.com are equivalent), and it does a lookup on both domains with none being found in the database; or
    (b) LastPass *only* looks up my gmail.com-equivalent address which is not found in the database.

    In case of (b), I wouldn’t know if it was in fact my googlemail.com address that showed up in some hacker’s database.

  • Anonymous says:

    Just a minor comment – I think your Post Title is mis-leading. The passwords clearly weren’t “leaked” by someone (or some machine) at Google. As we all know, nowhere in Google’s systems would the passwords be available. These were either “hacked” by someone, or are just guesses based on passwords people used at other sites. They were “published”, yes, by someone. But to use “leaked” will imply to less knowledgeable folks that there is a security breach at google, which obscures the real problems and unfairly tarnishes google.

    • Anonymous says:

      Sorry – and when I said “Hacked” above, I didn’t meant that someone “hacked” into Google’s systems. I mean that I bet some (many?) of those passwords are findable by hackers using simple things like dictionary attacks.

  • Anonymous says:

    I’ve been reluctant to use LastPass because I can’t tell how they handle Gmail’s two factor authentication.

    • Anonymous says:

      Ummm – Lastpass doesn’t have anything to do with Gmail’s 2-factor auth. You use Lastpass to store your gmail password. The 2nd factor is generated separately – either on your smartphone or by text to your smartphone depending on which option you use. That 2nd factor is only valid for a very short time. However, you can also use Lastpass to store the list of backup-in-case-all-else-fails one-time passwords for gmail. Printed out in small type with no identifying title and folded up small inside your wallet also works.

  • Anonymous says:

    Why did it take you so long to write this article? [serious]

    I heard about the leak on my local TV news. How are they ahead of an online site dedicated to security? And why did it take LP 3 days to write a post? I wanted to direct my gf to this blog but there was no article to direct them to. That would have been a good opportunity to educate her on security and encourage her to use LP.

    And now I hear about some Home Depot breach…

  • Anonymous says:

    My email adress is in the list. I checked the original leak file, and found that the password there looked like one i generated using lastpass, and I am confident i never used it for my google account. I looked up the password in lastpass and found it was used only in an online record store that uses my email as user name.

    finding accounts by password in lastpass is cumbersome. I ended up creating a bogus entry with the compromised passwd, and ran the security challenge, so it turned up as a duplicate.
    i’m not sure if i would have found it was an older password that is hidden in lastpass history.

    Lastpass – would you consider adding a feature to do this better ?