More news on those thousands of compromised Hotmail accounts: they weren't just from Hotmail.

Tech blog Neowin.net reported yesterday it discovered details on more than 10,000 Hotmail accounts and their passwords - most of them from European users - posted on Pastebin.com, a site developers use for code-sharing and debugging.

Since then, the BBC has found an additional list with 20,000 more accounts from Hotmail, Gmail, Yahoo Mail, AOL, Comcast and Earthlink.

Google told the BBC that less than 500 Gmail accounts were in the list. It's unclear how many accounts from the other providers were included, but most appear to be from Hotmail.

If 30,000 compromised accounts weren't enough, Google said they have found a third list. The company has not revealed how many accounts it contains or what e-mail providers are affected.

Some of the accounts the BBC found were "old, unused or fake," but several were legitimate and they can still be found online, the news organization said.

Google, just like Microsoft yesterday, said the leak is not the result of an internal breach. Both companies said that more than likely the account information was obtained through a phishing scheme.

Microsoft disabled yesterday the compromised accounts and is asking affected users to fill out this form to regain access. Google said it has forced password resets on the affected accounts.

Phishing is a tactic scammers use to steal victims' private information by tricking them into downloading malicious content encrypted on Web sites or e-mail attachments.

Although none of the Web mail providers affected has released details as to how hackers might have obtained the passwords, Sophos senior security advisor Chester Wisniewski speculated that a recently discovered phishing scheme might be connected.

Sophos researchers found in early September a spam e-mail message that offered users to find out which of their contacts have blocked them.

"The e-mail said 'put your credentials and we'll tell you if your friends have blocked you.' That seems to be in line with the timing here," Wisniewski said.

According to Computer World:

After a slump earlier this year, phishing attacks are on the upswing, according to the Anti-Phishing Working Group (APWG). Its most recent data -- for the first half of 2009 ( download PDF ) -- noted that the number of unique phishing-oriented Web sites had surged to nearly 50,000 in June, the largest number since April 2007 and the second-highest total since the industry association started keeping records.

Yesterday, Dave Jevans, the chairman of APWG, called the Hotmail phishing attack one of the largest ever, but cautioned that the usernames and passwords may have been harvested over several months, and not by a single, defined attack.

Some of the passwords might have even been guessed, Wisniewski said, which seems very likely considering a researcher's analysis of the leaked passwords: the most common password among the first 10,000 accounts was "123456" (it was used 64 times).

Hopefully that's not the password you guys use. In any case, if you use any of the mentioned Web mail services, you should change your password some time soon.

Network World makes this very good point:

The password posting, and the presumed phishing attack behind it, serve to emphasize that your free Webmail account has real value to Internet crooks. They may sift through your messages looking for logins to financial sites, send bogus ads or requests for money to all your contacts, or demand a ransom for returning control of the account. You've no doubt seen a thousand suggestions to use a strong, unique password for your Webmail account, but this is why: Crooks can make money by stealing it.

The only thing I'm not clear on regarding this whole issue is how the list ended up on a public code-sharing forum. If the guys at Sophos are right and the passwords were obtained through a phishing scheme like the one Wisniewski described (I saw this spam e-mail on my inbox, by the way, and I have to admit I was tempted to see if any of my no-good friends has blocked me) (before you ask: I was strong and didn't do it), then I have to wonder what the hackers' motivations were in designing an ingenious scam and collecting details on tens of thousands of e-mail accounts - only to post them in a public place and alert their victims and the authorities.

Because, as Network World pointed out, there is money to be made here. I wonder if the thieves used the information and then made it public to mock Web mail providers (as Wisniewski suggested), or if it was posted before they could fully take advantage of it.

Anyway, moral of the story: be creative with your passwords and change them regularly. Yes, password management can be a pain, but you may want to try some of Network World's recommendations on the matter.

- Posted by Alejandro Martinez-Cabrera

blog.seattlepi.com/techchron/archives/181238.asp