Yahoo!, Gmail or AOL users also affected

Oct 7, 2009 13:39 GMT  ·  By

The BBC claims to have located a list containing 20,000 webmail login credentials on the same website where similar information about 10,000 Hotmail accounts was recently leaked. In addition, Google announced that it found a separate document containing email logins obtained through an industry-wide phishing attack.

Two days ago, the Neowin technology blog reported that a list of 10,000 Windows Live Hotmail logins and passwords were posted on text-sharing website Pastebin. Microsoft confirmed the incident and proceeded to secure the compromised accounts.

The BBC reporters scoured the Pastebin website for similar lists of stolen credentials and found another document containing usernames and password for 20,000 webmail accounts. This time, the accounts were not only from Hotmail, but also Gmail, Yahoo! Mail and AOL. A few ISP e-mails belonging to Comcast and Earthlink customers were on the list as well.

A Google spokesperson told BBC that fewer than 500 Gmail accounts were compromised and that their passwords had since been reset. Both Microsoft and Google said that the lists were likely the result of phishing attacks. This theory is also supported by an Acunetix security researcher who analyzed the leaked Hotmail passwords.

The Google representative also noted that the company located a third similar list, but did not offer any details regarding its content. Meanwhile, the Pastebin service was temporarily taken offline due to the massive amount of traffic it received after news related to the existence of these lists broke out.

Phishing schemes are social engineering attacks that attempt to trick the users into giving out their login credentials or personal information. Most of the time, the cybercrooks behind these scams impersonate the companies whose customers they target and forge fake websites looking like the original ones.

Bogdan Calin, CTO at Web application security company Acunetix, suggests that at least in the case of the Hotmail attack, a fake login page that failed to redirect users to the real website, was used. “I noticed this because some of the passwords are repeated once or twice (sometimes with different capitalization). […] The users didn’t understand what was happening, and they tried to enter the same password again and again, thinking the password was wrong,” he concludes.

As security researchers from antivirus vendor Sophos indicate, the threat is even greater than unauthorized access to one's email account. This is because, according to recent studies, as much as 40 percent of people reuse their passwords online.