October 6, 2009

Gmail Compromised In Huge Phishing Scheme

Google has announced that Gmail, their email system, has been compromised in an "industry-wide phishing scheme".

The company has taken abrupt steps to protect the targeted accounts.

Phishing uses fake websites to entice people into giving information like bank account numbers. BBC News first found the two lists that have 30,000 names and passwords that have now been posted online.

"We recently became aware of an industry-wide phishing scheme through which hackers gained user credentials for web-based mail accounts including Gmail accounts," a Google spokesperson said to BBC News. "As soon as we learned of the attack, we forced password resets on the affected accounts. We will continue to force password resets on additional accounts when we become aware of them."

The company emphasized that the con was "not a breach of Gmail security" but instead "a scam to get users to give away their personal information to hackers".

The phishing scam first targeted Hotmail accounts only. It was made public when 10,000 Hotmail addresses were put on the website Pastebin, which is frequently used by developers to distribute code.

However, another list of 20,000 names has come into the light that has e-mail addresses and passwords from Hotmail, Yahoo, AOL, and Gmail.

Several accounts seem to be out of date, unused or counterfeit. Nevertheless, BBC News established that several Gmail, Yahoo and Hotmail addresses were real.

A spokesperson for Microsoft noted that the phishing issue is a continuous "industry-wide problem".

"Our guidance to customers is to exercise extreme caution when opening unsolicited attachments and links from both known and unknown sources, and that they install and regularly update their anti-virus software."

A Yahoo spokesperson encouraged customers to defend their accounts.

"We urge consumers to take measures to secure their accounts whenever possible, including changing their passwords."

Graham Cluley of security firm Sophos echoed the spokesperson's message.

"I'd also recommend that people change the password on any other site where they use it," he said.

On the Net: