The BBC reported today that Google is the latest in several cloud-based email systems that have been subject to a widespread phishing attack. The British news agency reported seeing two lists with over 30,000 names and passwords, which have been posted online. Google has since discovered a third list.

The cracked email passwords aren’t just from Google’s popular Gmail system though, the list also includes names of Microsoft Hotmail users, along with Yahoo, AOL, and other providers.  The first reports of the scam appeared when Pastebin, a legitimate web site used by programmers to share code, was used to post 10,000 Hotmail addresses.

Are there even more lists out there? Probably. The Neowin blog first reported the hack on Hotmail accounts, noting on October 1 that the lists detail 10,000 accounts with email addresses starting with “A” and “B”. Although only three lists have been detected so far, the alphabetical nature of the lists would imply that there are more floating around to account for the rest of the alphabet.

Bloggers, commentators and security folks are recommending that if you use Hotmail or Gmail, that you change your password immediately. Even better—stop using Hotmail or Gmail and stay away from free cloud-based email services altogether.

For their part, Google issued a forced password reset to all affected accounts, and Microsoft indicated that they too are taking steps to help customers regain control of their accounts.

If you still think your web-based email account is safe enough to use for business (or anything else for that matter), take a look at an article in last week’s Washington Post. The story details an account of the “other woman” who engaged the services of a cracker web site called YourHackerz.com to break into her boyfriend’s email and her boyfriend’s wife’s email.

The service is able to quickly deliver a password to a customer, for a surprisingly small fee. And YourHackerz.com isn’t the only one of its kind; there are dozens of similar services on the Internet that advertise their dark services freely. For a hundred bucks, they promise to “crack all major web based emails”, including Yahoo!, Hotmail, AOL and Gmail. The service even provides proof cracking before payment. How’s that for good marketing?

Although the cracker service bureau doesn’t specify their techniques, the Washington Post article speculates that they use a Trojan horse technique, which sends the victim an email with a link to a greeting card or some other innocuous-looking item, which when downloaded, launches a keystroke grabber that captures passwords and then sends them back to the host. It’s quite likely that these types of services use a combination of techniques.

The first thing to do to protect yourself is to realize that yes, there are people who want to read your email. Probably more than you think. And it’s very easy for those people to get access, for a small fee, from one of these cracker services within just two or three days. We all tend to think we’re immune. We think nobody can break in, and what’s worse, we think nobody wants to. Unfortunately, it happens all the time, and when we least expect it. Spying, espionage, and just plain snooping happens every day, both in business and in social life. It may be to steal our bank accounts, or it may just be to gather corporate secrets or personal information. If you think your spouse is cheating on you, how far would you go to confirm it?

Regardless of what motivations people may have to crack your email password, there are things that you can do to protect yourself. First and foremost, don’t use free webmail accounts. These are the easiest to crack by far (as Sarah Palin found out). Next, use complex passwords. This can actually only go so far as a means of protection though—if the cracker has a keystroke grabber, no matter how complex your password is, it can be stolen. Use encrypted email for sensitive messages, and connect to your login screen using a secure session.