Gmail, Yahoo, AOL, and Others Also Hit by Phishing Attack
Yesterday's phishing attack in which several thousand Hotmail username and password combinations were leaked to the web now appears to be just the beginning of a massive phishing attack affecting users of multiple webmail services including Gmail, Yahoo, AOL, Comcast, and Earthlink. The original list was posted anonymously on pastebin.com, a site generally used by developers sharing code snippets. Again, that site recently saw the addition 20,000 more login details from other webmail service providers, indicating what may the largest scale phishing attack to date.
The Hotmail Attack
In yesterday's attack, the list of comprised Hotmail accounts were limited to those where the usernames started with the letter "A" or "B." However, that seemed to imply that the posted portion might actually be a part of a bigger list containing even more login/password combinations. At the time, a Microsoft spokesperson said that the company determined "this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts." Instead, claimed the spokesperson, those users whose credentials were revealed were likely to be victims of an online phishing attack where a third-party website was involved.
Phishing attacks are typically carried out via email messages where the attacker tricks the recipient into revealing their username and password by pretending to be some sort of trustworthy entity such as the user's bank, IT administrator, a popular website, or an online service. In the case of the stolen Hotmail passwords, it's possible that the attacker sent emails which claimed to be from the end user's email provider. If the user then followed the link contained within the malicious email, they would have ended up not on the actual email provider's site, but on a third-party site whose sole purpose was to capture their username and password when entered.
Beyond Hotmail: More Webmail Providers Affected
According to a story in today's BBC News, the most recent list of compromised accounts, which includes login credentials for Gmail, Yahoo, AOL, Earthlink, and Comcast users, contains some accounts that appear to be old, unused, or fake. However, many others listed are, in fact, genuine.
There's no way to be sure at this point that the new list is a part of the same phishing attack as yesterday's or if it's a new and separate scam.
The website where the accounts were posted - pastebin.com - is now "down for maintenance." Visitors to the site today will receive a message that reads:
Pastebin.com is getting an unprecedented amount of traffic due to a news story in which some leaked Hotmail passwords have been pasted on this site
Pastebin.com was intended as a tool to aid software developers, not for distributing this sort of material. Filters have been put in place to prevent reoccurrence, but the current traffic level is unsustainable.
Pastebin.com is just a fun side project for me, and today it's not fun. It will remain offline all day while I make some further modifications
Paul Dixon
Regardless of whether or not you think your account was compromised, today would be a good day to change the password on whichever webmail service you currently use. Better safe than sorry!
Share
Facebook
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
damn...thats why I stick with G G G Mail...
what the heck is G G G mail?
Sorry to be the stick in the mud, but I think that if someone is silly enough to be caught out by phishers then it could be a good lesson.
A lot is said by companies every single day about keeping your password safe, not giving your passwords to just anyone, making sure the URL points to the real site etc etc
I guess it's more the newbies that fall for this. Personally I've been on the net since 1995 and no Nigerian or phisher will be causing me to part with any one of my passwords :D
I think this is crazy how people have nothing better to do with there time but sit around and try to destroy other peoples stuff its crazy and they need to get a life...
That is scary!
I use an iMAC so when I click a phishing site I get a big red warning pop-up. The truest way to identify a bogus site is this: say their from BANK OF AMERICA (as was my latest one) and you click the link, LOOK AT THE DOMAIN ADDRESS::: if it begins with a word or name OTHER THAN that which solicited your attention, it is fake. --- Em Jay
Phishing attacks are a waste of time for the ones who carry them. They gain too little.
The list of comprised Hotmail accounts were limited to those where the user-names started with the letter "A" or "B."Phishing attacks are a waste of time for the ones who carry them.I think this is crazy how people have nothing better to do with there time but sit around and try to destroy other peoples stuff its crazy and they need to get a life.
Twitter is in a similar situation to what Digg was when Yahoo! launched Buzz, but the difference is that Meme is better than Twitter and Buzz wasn’t better than Digg. Also, Digg wasn’t having stability issues like Twitter has been.
thanks so much 4 a nice topic. it's really a wonderful
Phishing attacks are a waste of time for the ones who carry them. They gain too little.
thanks so much 4 a nice topic. it's really a wonderful