Google Gets In Front of Billabong Data Breach

Last week was a bad week for password breaches.  The most obvious incident was the news about the Yahoo! breach of approximately 450,000 user logins and email addresses of the Yahoo! Voices service.  The worst part of this breach, and in my mind what makes it even more egregious than the LinkedIn breach that I wrote about last month is that in the Yahoo! case, the passwords that were compromised weren't encrypted at all.  They were stored in plain text!  Once compromised, the attackers didn't have to do any work to crack their stolen list to make it usable.  The data was merely handed to them on a platter.

With all of the news surrounding the Yahoo! incident, you may not have known that less than 24 hours after that news broke hackers also dumped a cache of logins and passwords alleging to result from a hack of   Once again these passwords were being stored in plain text, resulting in zero work required by the hackers to crack the passwords once they were stolen.

The purpose of this post, however isn't to point blame or ponder why we appear to have learned nothing about proper password management.  It's actually to give kudos to Google for their response to the situation.

What Google did was a matchup between the email addresses that were made available to their own Google Apps database and sent an email message out to domain admins for those domains believed to have been affected by the breach.  An excerpt of their email follows:


Google has become aware of a security incident involving Billabong that may have affected the security of some users in your Google Apps domain: REDACTED.

The following users were found on a list of compromised Billabong credentials released by those claiming responsibility for the Billabong security breach.

These users signed up for their Billabong account using their Google Apps email address and there is a high risk that they used the same password for both their Billabong account and Google Apps account:

<user list here>

Although part of the reason that Google sent this message out to Google Apps domain admins was to protect their own interests since the compromised Billabong accounts may use the same password as their Google Apps account, I applaud Google's response here in wanting to get in front of the issue and alert their users of the potential for these accounts to be taken over by the bad guys.  This wasn't their issue to respond to, yet they took the initiative with the goal of protecting their users.  As an industry, I'd love to see more of this.  Kudos!

minute read

Popular stories



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time