Huge phishing email attack affects Gmail, Yahoo: reports

Hackers post more email account passwords online

  • Email to a friend
  • Print this article
  • Bookmark this page
  • RSS feed

By Siobhan Chapman | Computerworld UK
Published: 12:38 GMT, 06 October 09

A massive phishing attack, which originally impacted Hotmail, could also have impacted Gmail, Yahoo and AOL users, according to a report on the BBC.

A list of more than 20,000 usernames, passwords and email addresses from Hotmail, Yahoo, AOL, Gmail and other web email service providers has been leaked online, the BBC reports.

The list was published on the same website as the original list of 10,000 Hotmail login details.

FBI busts massive phishing ring | Spammers exploit hijacked Gmail, Hotmail passwords | Yahoo gives Apache open source Traffic Server

"Some of the accounts appear to be old, unused or fake. However, BBC News has confirmed that many - including Gmail and Hotmail addresses - are genuine," BBC's report stated.

It is not clear whether the list was part of the same phishing attack that collected the Hotmail addresses or a separate scam.

Microsoft yesterday confirmed that thousands of Windows Live Hotmail account usernames and passwords had been leaked to the Internet. Microsoft denied reports that its service have been hacked, but said the credentials were "likely" stolen in a phishing attack.

Neowin.net was the first to publish details of the original attack. It said the accounts were posted on 1 October to pastebin.com, a website commonly used by developers to share code.

The website, pastebin.com, was down at time of writing. A message on the site read: "Pastebin.com is getting an unprecedented amount of traffic due to a news story in which some leaked Hotmail passwords have been pasted on this site."

The message, which is signed by the website owner Paul Dixon, continued: "Pastebin.com was intended as a tool to aid software developers, not for distributing this sort of material. Filters have been put in place to prevent reoccurrence, but the current traffic level is unsustainable. Pastebin.com is just a fun side project for me, and today it's not fun. It will remain offline all day while I make some further modifications."

Neil O'Neil, digital forensics investigator at The Logic Group, said: "Making the breach public so soon after the attack occurred has allowed unethical hackers to access the passwords very easily, even though they were deleted a couple of days ago at the request of Microsoft."

O'Neil, a qualified ethical hacker, used a simple hacking technique to obtain the list of 10,000 passwords within minutes of the breach being publicised.

After analysing the list, O'Neil said the large number of spelling mistakes in the data, including email addresses, indicates this was a high-scale phishing attack. He suggested that Hotmail account holders filled out forms designed by hackers to source sensitive data under the guise of conducting a security audit or similar.

"People tend to have the same password across many accounts - so there is a good chance that individuals have also compromised the integrity of their eBay or PayPal accounts too," he added.

What's more, a significant percentage of people used their date-of-birth as a password, while others used easy to guess passwords such as '123456'.

O'Neil advised people to choose complex passwords, then "write them down and put them in your wallet". If the wallet is lost or stolen, he advised people to change their password. "Three initials from your name and postcode will do the trick and will take a hacker weeks to crack. Using an old postcode adds another layer of protection," he said.

Contact Us

For editorial queries:
Max Cooter max_cooter@techworld.com

For website issues:
Email webmaster@techworld.com

For commercial queries
Russell Kearney russell_kearney@idg.co.uk

For more contact details click here.

What are your views on this subject? Use the form below to post a comment on this article up to 500 characters.

Characters remaining: 500

Add your commentComments

cdg | Published: 09:47 GMT, 07 October 2009

Other ways to maintain a grip on complex passwords are to use secure services such as those from lastpass.com - or even pick up an inexpensive device which generates and keeps complex passwords in store via a yubikey from yubico.com.

DanTe | Published: 14:33 GMT, 06 October 2009

Cool marketing list. I'll be a lot of companies will legitimately pay for this list of imbeciles they can sell junk to.

Related Security news

Antivirus programs fail to stop new malware

One in three systems infected.

09 February 2010

Adobe sorry for 16-month-old Flash bug

Unpatched vulnerability 'slipped through the cracks'

HTML 5 leaves client storage open to web attacks

Security researcher says web apps could be vulnerable

Rugged Manifesto calls on developers for secure code

Security professionals call for better programming practices

Related Security reviews

Malwarebytes' Anti-Malware Free review

Kaspersky Lab AntiVirus 2010 review

Avira AntiVir Premium review

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Challenges and opportunities of PCI

The Payment Card Industry Data Security Standard provides an enterprise structure for improving operational, security, and audit performance. The benefits of the PCI DSS go beyond audit costs and results.

Download Whitepaper

Database security: Preventing enterprise data leaks at the source

IDC discusses the growing internal threats to business information, the impact of government regulations on the protection of data, and how enterprises must adopt database security best practices...

Download Whitepaper

Six essential steps to successful IT centralisation

This report, based on the real experience of a recent centralisation project, is aimed at those involved in IT strategy within their organisation. It provides some practical insights for CIOs, CTOs, Heads of IT, IT Directors and those involved more closely with the service management function.

Download Whitepaper

Application Grid: The ideal platform for IT consolidation

Evaluating the opportunity for consolidation of middleware — Java application servers and related technologies.

Download Whitepaper

Techworld UK - Technology - Business

COLT White Paper

Are all VoIP services the same?

Questions to ask your service provider to ensure you get the VoIP service you need
With careful choice of partner, your business can have all the advantages of VoIP access - reduced costs, flexibility and simplicity - without the drawbacks.
This white paper is your guide to ensure you get right the VoIP service and details the pitfalls which businesses would do well to avoid.

Download white paper
COLT White Paper

IT Misuse Survey

Complete this survey and you could win a Nexus One

Techworld are running a short survey to discover how UK businesses are managing Internet and email misuse in the Enterprise.

Complete Survey

Webcast: IT Financial Management: Cost Optimisation for Efficiency and Agility.
On Demand Webcast
Join this webcast to learn about the techniques and technologies that can help you prove the value of IT to the business by understanding the true cost of today's IT services and those that will be necessary to deliver future success.

Register Today

Site Map

IDG Network

* *