Final update (Sep 12): Lorenzo Franceschi-Bicchierai at Mashable has written the most comprehensive explanation I’ve seen yet. While it is true that IsLeaked was registered 2 days before the Gmail leak, there were leaks earlier in the week for Yandex and Mail.ru. But there are still real concerns when using unvetted third party tools to check your security.
Most media outlets are currently reporting that 5 million user accounts and passwords have been leaked. The earliest sources I can find for news outlets reporting this information all date to the 10th.
The source is traced back, at earliest, to a Russian bitcoin market forum with a post on Sept 9 at 23:55. Screenshot below.
All of the news articles are telling people to go to isleaked.com to check their addresses. However, I don’t think any of the media has vetted this website and could possibly be sending millions of people to a website run by people harvesting email addresses (for spam or other hacking activities.) It’s even possible that isleaked.com is run by the very people who leaked the passwords in the first place. Why could this be? Because isleaked.com was registered on the 8th, 2 days before the story broke anywhere else. You can run the whois yourself. Screenshot below.
Please comment with any thoughts or info you may have.
Update: After tweeting with the author of the lifehacker article, he has removed the link to IsLeaked.com. I still want to further press the issue by posing this question: If someone knew about the password leak on the 8th, why would they quietly make a website and then wait for someone else to break the story? If they were truly trying to help, why not break the story themselves and thus ALERT users?
Update2: I am officially endorsing this private gmail leak tester. It is open source and performs the test locally (client side) without sending your information to their servers. While others may or may not be keeping your information, it would be impossible for this one to keep your information. I spoke in great detail with the author last night.
Update3: there may be evidence that the site was originally setup for yandex users 2 days ago and they added Google later. Read the comments below and decide for yourself. I still think it’s too convenient of a timeline, bizarre that the website is registered in France yet created by Russians, etc. I don’t recommend giving them your email address when there are client side solutions available.
Update4: @isleaked has been very adamant about having me remove this article from the Internet. Regardless of everything, we still don’t know what they are doing with the addresses. It’s a moot point now anyways since Google has locked out any compromised accounts. You stand to gain nothing by using IsLeaked.com regardless if it is legitimate or not. So, again, I’m not sure why they want this article removed. A benevolent website would simply link you to the Google update.