A day after reports surfaced that 10,000 Microsoft Windows Live Hotmail user credentials had been stolen and posted online, the BBC has reported seeing a list of some 20,000 e-mail accounts and passwords belonging to users of Google Gmail, AOL, Yahoo Mail, Comcast and Earthlink. In both cases, officials laid the blame for the data exposure on phishers.
"We recently became aware of a phishing scheme through which hackers gained user credentials for Web-based mail accounts including a small number of Gmail accounts," a Google spokesman said. "As soon as we learned of the attack, we forced password resets on the affected accounts. We will continue to force password resets on additional accounts if we become aware of them."
Similarly, officials at Yahoo confirmed a phishing attack had claimed user credentials and urge the public to review information Yahoo has on e-mail safety. Among other things, the company recommends users be wary of pop-up warnings and avoid clicking on them if they look suspicious.
"Online scams and phishing attacks are an ongoing and industry-wide issue and Yahoo takes great effort to protect our users' security," the spokesperson said. "We urge consumers to take measures to secure their accounts whenever possible, including changing their passwords."
In addition, Google reminded users to only provide Gmail log-in information to sites starting with https://www.google.com/acounts and never to click through any warnings their browsers may raise about certificates.
Paul Wood, MessageLabs Intelligence senior analyst for Symantec Hosted Services, noted that the impact of phishers getting their hands on this kind of information can be widespread, going beyond the accessing of the actual e-mail accounts.
"Apart from accessing the user's Webmail accounts, e-mail addresses are commonly used to log into social networking sites," Wood said. "So with a successful phishing attack, the bad guys not only gain access to an individual's e-mail account, but also a variety of other sites that may be linked to that account. People should be advised not to share the same password for these sites and should change their passwords at least every 90 days."
The attack also had a side effect - it showed that many users are utilizing weak passwords to protect their accounts. According to an analysis by Acunetix, 42 percent of the roughly 10,000 Hotmail passwords were "lower alpha" - meaning they contained only letters. Nineteen percent contained only numbers, and the most common password was 1,2,3,4,5,6.
"As we can see...a big majority of Internet users still use very poor passwords," blogged Bogdan Calin of Acunetix.