Google recommends users change their passwords, and also enable 2-step verification to ensure no misuse. The Google account credentials stash was posted on btsec.com by user tvskit, who claimed 60 percent of the passwords were still valid.
The same Bitcoin security forum has been the host of the Mail.ru and Yandex username and password leaks over the past few days, published in the form of text files, just like with the Google leak. The three leaks are said to contain credentials of English, Russian and Spanish-speaking users.
Notably, Google and Yandex say there is no evidence of a recent hack on their own systems, and that the credentials appear to have been collected over years through phishing and hacking attacks.
Mail.ru reportedly saw 4.66 million username and password combinations leaked on Tuesday, and Yandex 1.26 million on Monday. Apart from changing their passwords, users can also check if their Google, Mail.ru, and Yandex passwords are among those leaked, with the help of a search tool. Note, the tool may be temporarily inaccessible due to high traffic.
Update: Google has responded with a written statement on its Online Security blog, saying, "We found that less than 2 percent of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We've protected the affected accounts and have required those users to reset their passwords."
Apart from reiterating that the leak was not the result of a breach of its systems, the company had prefaced the blog post saying, "One of the unfortunate realities of the Internet today is a phenomenon known in security circles as 'credential dumps' - the posting of lists of usernames and passwords on the web. We're always monitoring for these dumps so we can respond quickly to protect our users. This week, we identified several lists claiming to contain Google and other Internet providers' credentials."