A text file was published late on Tuesday to a Russian BitCoin security online forum which allegedly lists some 4.93 million Google account credentials.
The forum administrator has since purged passwords out of this file, leaving only the logins.
This follows only days after similar leaks relating to two popular Russian Internet services, leaking 4.66 million and 1.26 million accounts. In this instance, the accounts are Google accounts which are used for a wide raft of services - Gmail, Google+, Google Apps, Google AdWords, and the many other services provided by Google let alone Google Play - the Android app, music, book, and video marketplace.
In the previous leaks, the Russian services - Mail.ru and Yandex - both stated the accounts listed were predominantly obsolete services, or services suspended for behaviour contrary to terms of service, or were even simply non-existant accounts. They claimed their own databases had not been comrpomised and suggested the files contained accounts that had been harvested via phishing or other mechanisms over time.
At this time, it is believed the majority of the accounts published are for Russian Google users.
Google Russia states it is investigating the alleged leak, recommending Google users employ strong passwords and two-step login verification. This two-step process can be enabled on Google accounts but requires giving Google your mobile phone number which some privacy advocates reject on the basis it makes an anonymous account effectively non-anonymous.
There is no information at this time on whether Google has been compromised or if the accounts were harvested in the same manner suggested for the previous leaks. Realistically, if the users are predominantly Russian then this implies means external to Google were used to collect this information. Nevertheless, some Russian bloggers are already speaking out about the folly of trusting an "American company".
Late in December 2013 security vendor McAfee made a blog post reporting on a series of Android applications which had been discovered to secretly capture and transmit Google account names as well as IMEI numbers. In this post McAfee recommended Android users carefully review the privacy settings on applications they use. McAfee noted one Android permission allowed apps to access other online account credentials saved onto the device such as Facebook usernames.
While at this time Google has made no official statement it is prudent for Google users to consider their password complexity, whether two-factor authentication is a viable option, and how much access is being given to apps.