Yesterday's phishing attack in which several thousand Hotmail username and password combinations were leaked to the web now appears to be just the beginning of a massive phishing attack affecting users of multiple webmail services including Gmail, Yahoo, AOL, Comcast, and Earthlink. The original list was posted anonymously on pastebin.com, a site generally used by developers sharing code snippets. Again, that site recently saw the addition 20,000 more login details from other webmail service providers, indicating what may the largest scale phishing attack to date.

The Hotmail Attack

In yesterday's attack, the list of comprised Hotmail accounts were limited to those where the usernames started with the letter "A" or "B." However, that seemed to imply that the posted portion might actually be a part of a bigger list containing even more login/password combinations. At the time, a Microsoft spokesperson said that the company determined "this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts." Instead, claimed the spokesperson, those users whose credentials were revealed were likely to be victims of an online phishing attack where a third-party website was involved.

Phishing attacks are typically carried out via email messages where the attacker tricks the recipient into revealing their username and password by pretending to be some sort of trustworthy entity such as the user's bank, IT administrator, a popular website, or an online service. In the case of the stolen Hotmail passwords, it's possible that the attacker sent emails which claimed to be from the end user's email provider. If the user then followed the link contained within the malicious email, they would have ended up not on the actual email provider's site, but on a third-party site whose sole purpose was to capture their username and password when entered.

Beyond Hotmail: More Webmail Providers Affected

According to a story in today's BBC News, the most recent list of compromised accounts, which includes login credentials for Gmail, Yahoo, AOL, Earthlink, and Comcast users, contains some accounts that appear to be old, unused, or fake. However, many others listed are, in fact, genuine.

There's no way to be sure at this point that the new list is a part of the same phishing attack as yesterday's or if it's a new and separate scam.

The website where the accounts were posted - pastebin.com - is now "down for maintenance." Visitors to the site today will receive a message that reads:

Pastebin.com is getting an unprecedented amount of traffic due to a news story in which some leaked Hotmail passwords have been pasted on this site

Pastebin.com was intended as a tool to aid software developers, not for distributing this sort of material. Filters have been put in place to prevent reoccurrence, but the current traffic level is unsustainable.

Pastebin.com is just a fun side project for me, and today it's not fun. It will remain offline all day while I make some further modifications

Paul Dixon

Regardless of whether or not you think your account was compromised, today would be a good day to change the password on whichever webmail service you currently use. Better safe than sorry!