Hackers post millions of stolen Gmail passwords on Russian site - Are Harding's passwords safe?

No doubt many of us have seen a headline over the last few days about stolen Gmail passwords appearing on a Russian website. If you haven't you can read some news about it here: Hackers post millions of stolen Gmail passwords on Russian site.

As you know Harding uses Google as our email service. So are our passwords safe?

There is an article in this weeks issue of Computerworld that talks about the issue in general: What you need to know about the Gmail Password Compromise.

More specifically in regard to Harding passwords, John Nunnally advises the following:

"The Russians are releasing the data they have a little bit at a time to keep the story "hot", if for no other reason.  Four days ago they released these five million or so gmail accounts and their passwords.  ...Google is aware of no security breach that allowed this information to be accessed.  They believe these five million accounts were compromised by phishing schemes and malware that does keyboard logging, etc.  In other words, these gmail owners effectively gave away their account information.

Harding.edu accounts are not gmail.com accounts even though Google hosts our harding.edu accounts. So I seriously doubt this list of five million gmail accounts includes any harding.edu accounts.  But that does not mean these Russians do not have some harding.edu accounts in the billion or so account credentials they collected.  I spend a lot of time dealing with Harding accounts that have been compromised, so certainly a number of our Harding users give their credentials away just like these gmail account owners did.

Our conclusion at the time of the original August report was that most of the data was so old that it was of little consequence to most of us. Harding requires regular password changes which all but guarantees that any "old" passwords have been aged out already.  But of course if anyone is ever concerned, they are encouraged to go to password.harding.edu and change their password. They certainly do not have to wait until they receive expiration notices.

As a matter of record -- Anyone with accounts anywhere with passwords over a year old should change them immediately.  Once a year is certainly not too often these days. Hackers do not want you to know that they have your password.  So usually the only way you find out you have been hacked is when you realize your account has been abused. The primary defense we have is to change our passwords regularly in hopes that, if we are hacked, we will have changed our password before the bad guys get around to using it."