It’s been a tough week for the large webmail providers. Up to 30,000 email addresses and passwords from GMail, Hotmail, Yahoo Mail, AOL, Comcast and Earthlink accounts were posted online at a number of sites including Pastebin.com.
Although some of the accounts on the list appeared to be old, unused or incorrect, many have been confirmed as genuine. Google, Microsoft and Yahoo are continuing to advise users to change their passwords if they think their account has been compromised.
It should be noted that none of the webmail systems has been hacked or exploited. The majority of webmail systems are secure; they have been run successfully for many years without major security breaches. Most security experts suspect the account details were collated using phishing attacks. However, the scale of the problem has led some to believe that key-logging malware could be to blame.
Unfortunately, the problem has become self-propagating and account breaches could increase exponentially. Online security company Websence has identified a sharp increase in the number of spam emails being sent from GMail, Hotmail, and Yahoo accounts. Hackers and cyber-criminals are using the webmail systems to send further phishing emails to real address book contacts.
Although duped users tend to be IT novices, the rise of webmail systems has inevitably exacerbated the issue. Many people use several accounts; it’s easy to send an email to a GMail user stating that an important message is waiting in their Hotmail account and provide a helpful link to the log on page.
Is there a solution? User education will obviously help but, for inexperienced clients, perhaps you could consider installing a standard POP3/IMAP email client on their PC? They won’t have the benefits of remote access, but they need never know their email password.
Have you or any of your clients had a webmail account compromised?
Craig BucklerCraig is a freelance UK web consultant who built his first page for IE2.0 in 1995. Since that time he's been advocating standards, accessibility, and best-practice HTML5 techniques. He's created enterprise specifications, websites and online applications for companies and organisations including the UK Parliament, the European Parliament, the Department of Energy & Climate Change, Microsoft, and more. He's written more than 1,000 articles for SitePoint and you can find him @craigbuckler.
