Posted October 6, 2009 3:19 pm by with 2 comments

Tweet about this on TwitterShare on LinkedInShare on Google+Share on FacebookBuffer this page

phish hookA phishing attack is targeting thousands of web-based email users, according to the BBC and Read Write Web. Tens of thousands of users of each site have already been victimized, with the usernames and passwords available on lists.

The scam to entice the users to offer up their private passwords, phishers imitate legitimate sites and ask for login information. The reports didn’t indicate what site the phishers were imitating.

This comes hot on the heels of Gmail dabbling with showing favicons from a few trusted senders. Maybe they should start considering

The first list of 10,000 usernames covered users of Hotmail sites, AOL, Gmail, Yahoo, Earthlink and Comcast email services. But only usernames starting with A and B were included—meaning that there could be hundreds of thousands of other victims.

The lists were originally posted on, a site for sharing snippets of code. The owner of pastebin has removed the lists and plans to put more safeguards against this kind of activity.

Worried your account was affected? A Google spokesperson said:

We recently became aware of an industry-wide phishing scheme through which hackers gained user credentials for web-based mail accounts including Gmail accounts.

As soon as we learned of the attack, we forced password resets on the affected accounts. We will continue to force password resets on additional accounts when we become aware of them.

If you think your account was affected, change the password. If you use the same password on other accounts, change it there, too.

What do you think? Is there more Google et al. can do to prevent phishing? What can we do to safeguard against it?

  • on september 4 /2009 i received a message that congratulates me to win yahoo 2009 beta mail promotional prize. as an agent Mr Albert Morgan at sent me winning & reference numbers. when i respond him as i was instructed he further refered me to Dr Umaru Badamasi Amin at e-mail:
    dear sir/madam they asked all my address & even bank account I REFUSED TO WRITE THEM .
    So is my account at yahoo at risk? if yes how can i be protected?

  • While this isn’t really the place to resolve your concerns (DO write to Yahoo), I would say that’s probably not what happened with these addresses. If you didn’t give your username and password, you’re probably okay.