At least 50,000 email addresses and passwords belonging to Hotmail, Yahoo AOL, Comcast, Earthlink, and Google accounts have been discovered posted to the net by hackers. Microsoft and Google both denied any responsibilty for the breach, blaming it on a widespread phishing attack that involved fake websites that were identical to the real Hotmail, Yahoo and Google sites. The Google account details are of special concern as they would also allow a hacker or spammer access to Blogger, YouTube, and Google Docs accounts, potentially compromising even more sensitive data. Google says it too is aware of the breach and is resetting the passwords of the compromised accounts.
It’s not clear how such a massive theft was accomplished and if it really is the work of a wildly successful phishing attack or something even more sinister. Security experts say many of the compromised addresses are showing up in spam messages and that they may also be being used to spread a worm through Windows Live Messenger, although at this time no malware associations have been detected. As of now the list of stolen credentials only covers the letters A and B in the alphabet and it’s feared that there are more covering the rest of the alphabet. If this is true it could mean millions of accounts have been compromised.
Experts say the list was publically posted for one of two reasons. Either a hacker with a conscience wanted to make a point about how widespread and dangerous phishing is, or more likely, it was a hackers way of showing off what they have for sale.
Businesses with accounts on any of these services are advised to change their passwords ASAP. Choose a combination of letters and numbers and never use the same password for multiple accounts.