Scam Compromises Email Accounts

This was written by Jim Garrettson on Wednesday, October 7, 2009, 11:38.

The other day, Microsoft confirmed that a number of Hotmail account login information was compromised and posted online. It now appears that the breach is significantly wider, extending to Gmail, AOL, Yahoo, Earthlink and Comcast email accounts.

Over 30,000 accounts have been posted online according to a list the BBC viewed. Google has moved to mitigate the threat by forcing users to alter their login credentials. Google also claimed that the breach was not a result of security issues with Gmail. Instead, it was based on a phishing scam in which victims voluntarily gave login information to the scammers. Microsoft has also moved to block the compromised accounts. The various account information was posted in two different lists that have subsequently been removed.

The discovery of the original breach of 10,000 Hotmail accounts prompted their removal from the website pastebin, a site used by developers to share code. However, researchers already detected a number of spam attacks that were subsequently generated from a number of the compromised email accounts. It is currently unclear precisely what phishing scam was employed but it clearly breached a number of email accounts across service providers. The incident highlights some of the basic problems that users face with email. Despite warnings from service providers, a large proportion of users utilize the same password for multiple login accounts. Compromised passwords and emails can help to give hackers access to bank accounts and other web pages. A researcher who examined the list of compromised names and passwords found that a number of the passwords were insecure. The most common password was 123456, which is significantly insecure. The best passwords utilize numbers, letters, and symbols.

Phishing scams often involve a fake email that invites an unsuspecting user to click on a link to a web page. When the user arrives at the web page, which is often disguised to look legitimate, they are asked to provide login details in order to access the site. Once that information is entered, the hackers are able to use the information to hijack the email account and potentially compromise other accounts, particularly financial accounts. These recent breaches highlight the increasing need for better educational efforts of the general public. During the launch for National Cyber Security Awareness Month, the FBI’s Assistant Director for the Cyber Division, Shawn Henry, stated that the “average American does not understand what the threat is.” The event calls for increasing the educational drive to make individuals more aware of sound security practices, such as altering passwords and using different ones for different functions.