Huge phishing email attack affects Gmail, Yahoo: reports

A massive phishing attack, which originally impacted Hotmail, could also have impacted Gmail, Yahoo and AOL users, according to a report on the BBC.

A list of more than 20,000 usernames, passwords and email addresses from Hotmail, Yahoo, AOL, Gmail and other web email service providers has been leaked online, the BBC reports.

The list was published on the same website as the original list of 10,000 Hotmail login details.

"Some of the accounts appear to be old, unused or fake. However, BBC News has confirmed that many - including Gmail and Hotmail addresses - are genuine," BBC's report stated.

It is not clear whether the list was part of the same phishing attack that collected the Hotmail addresses or a separate scam.

Microsoft yesterday confirmed that thousands of Windows Live Hotmail account usernames and passwords had been leaked to the Internet. Microsoft denied reports that its service have been hacked, but said the credentials were "likely" stolen in a phishing attack.

Neowin.net was the first to publish details of the original attack. It said the accounts were posted on 1 October to pastebin.com, a website commonly used by developers to share code.

The website, pastebin.com, was down at time of writing. A message on the site read: "Pastebin.com is getting an unprecedented amount of traffic due to a news story in which some leaked Hotmail passwords have been pasted on this site."

The message, which is signed by the website owner Paul Dixon, continued: "Pastebin.com was intended as a tool to aid software developers, not for distributing this sort of material. Filters have been put in place to prevent reoccurrence, but the current traffic level is unsustainable. Pastebin.com is just a fun side project for me, and today it's not fun. It will remain offline all day while I make some further modifications."

Neil O'Neil, digital forensics investigator at The Logic Group, said: "Making the breach public so soon after the attack occurred has allowed unethical hackers to access the passwords very easily, even though they were deleted a couple of days ago at the request of Microsoft."

O'Neil, a qualified ethical hacker, used a simple hacking technique to obtain the list of 10,000 passwords within minutes of the breach being publicised.

After analysing the list, O'Neil said the large number of spelling mistakes in the data, including email addresses, indicates this was a high-scale phishing attack. He suggested that Hotmail account holders filled out forms designed by hackers to source sensitive data under the guise of conducting a security audit or similar.

"People tend to have the same password across many accounts - so there is a good chance that individuals have also compromised the integrity of their eBay or PayPal accounts too," he added.

What's more, a significant percentage of people used their date-of-birth as a password, while others used easy to guess passwords such as '123456'.

O'Neil advised people to choose complex passwords, then "write them down and put them in your wallet". If the wallet is lost or stolen, he advised people to change their password. "Three initials from your name and postcode will do the trick and will take a hacker weeks to crack. Using an old postcode adds another layer of protection," he said.