By Craig Buckler

Webmail Security Breaches Continue

By Craig Buckler

webmail security breachesIt’s been a tough week for the large webmail providers. Up to 30,000 email addresses and passwords from GMail, Hotmail, Yahoo Mail, AOL, Comcast and Earthlink accounts were posted online at a number of sites including

Although some of the accounts on the list appeared to be old, unused or incorrect, many have been confirmed as genuine. Google, Microsoft and Yahoo are continuing to advise users to change their passwords if they think their account has been compromised.

It should be noted that none of the webmail systems has been hacked or exploited. The majority of webmail systems are secure; they have been run successfully for many years without major security breaches. Most security experts suspect the account details were collated using phishing attacks. However, the scale of the problem has led some to believe that key-logging malware could be to blame.


Unfortunately, the problem has become self-propagating and account breaches could increase exponentially. Online security company Websence has identified a sharp increase in the number of spam emails being sent from GMail, Hotmail, and Yahoo accounts. Hackers and cyber-criminals are using the webmail systems to send further phishing emails to real address book contacts.

Although duped users tend to be IT novices, the rise of webmail systems has inevitably exacerbated the issue. Many people use several accounts; it’s easy to send an email to a GMail user stating that an important message is waiting in their Hotmail account and provide a helpful link to the log on page.

Is there a solution? User education will obviously help but, for inexperienced clients, perhaps you could consider installing a standard POP3/IMAP email client on their PC? They won’t have the benefits of remote access, but they need never know their email password.

Have you or any of your clients had a webmail account compromised?

  • My220x

    I’m surprised that a number of people fall for it. I guess what happened is peoples computer got infected with a virus, spyware what ever and their computers have been changed to redirect, whatever to a fake phishing page.

  • fattyjules

    I’ve just installed LastPass, and it’s fabulous (I’m in no way connected to them).

    I’ve now updated all my web accounts with different hard-to-brute-force passwords. I don’t need to remember any of them; as long as I have my LastPass details, I’m set, even when I’m away from my normal computer.

    Now, if any of these sites are compromised, any credentials discovered can’t be used to get into any of my other accounts, which previously had similar username/password combinations.

  • markfiend

    Prompted by this story, I wrote a quick-and-dirty password generator in Python. It generates the same random-looking password if given the same inputs.

  • Anonymous

    I just use Password as my Password. Nobody would be as stupid as me to guess it…..

  • Beth in Austin

    I’m not a novice and haven’t fallen for any phishing email, however, I recently had my yahoo email account breached. It seems to have happened when I logged into webmail while on unsecured wireless at a coffee shop. Ironically, I logged in so I could retrieve an email that would allow me to log onto the shop’s network.

    Getting into my yahoo account allowed them to use the “forgot my password” feature of eBay and they hijacked that account and changed email & shipping info so I didn’t know they were making purchases with it. eBay let me know something was up.

    My password was not the strongest it could be, but also wasn’t that bad. All passwords have now been upgraded to top strength, but I’m wondering if that’s good enough. How do you prevent someone from getting this information when on unsecured wireless? It’s not like you can totally avoid the situation. It’s part of modern work life now.

Get the latest in PHP, once a week, for free.