A large text file containing usernames and passwords of over 4.9 million Google accounts was leaked on Tuesday to Bitcoin Security, a Russian Bitcoin forum. After investigation, Google claims this list is likely a collection of credentials from different sources, and not the result of a breach in the company's account system.
The search giant claims fewer than 2 percent of the leaked username and password combinations might have worked and that Google's anti-hijacking systems would have blocked many of those login attemps. Google says it protected the affected accounts and have required those users to reset their passwords.
It’s important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems. Often, these credentials are obtained through a combination of other sources.
For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others. Or attackers can use malware or phishing schemes to capture login credentials.