Passwords for hotmail, Gmail and yahoo mail stolen and posted online

[Shutterbug]

If you have any of those services probably good idea to change passwords now

http://crave.cnet.co.uk/software/0,39029471,49303832,00.htm

 

[FireDancer]

Like Microsoft, Google was quick to point out that the phishing scheme was a "scam to get users to give away their personal information to hackers" and not an internal security issue. It didn't say how users fell victim to the scheme.

If you are confident you were not socially engineered to give up your password, which is all a phishing scheme really is, you are safe. The underlying issue isn't so much that the passwords are posted, most phishing schemes result in passwords being traded on certain black hat forums, as much as people are still falling for these scams.

I am the Information Systems Coordinator of a financial institution so phishing is on my radar but every single example of it I have seen had some pretty obvious signs it was not kosher.

 

[Shutterbug]

Like Microsoft, Google was quick to point out that the phishing scheme was a "scam to get users to give away their personal information to hackers" and not an internal security issue. It didn't say how users fell victim to the scheme.

If you are confident you were not socially engineered to give up your password, which is all a phishing scheme really is, you are safe. The underlying issue isn't so much that the passwords are posted, most phishing schemes result in passwords being traded on certain black hat forums, as much as people are still falling for these scams.

I am the Information Systems Coordinator of a financial institution so phishing is on my radar but every single example of it I have seen had some pretty obvious signs it was not kosher.

..reading through it again, I now see it differently. When I first read it I thought it meant that through the phishing schemes that someone was able to gain access into those systems. Now reading it a second time especially what you highlighted it leads me to believe that people who responded to phishing schemed emails are the ones who had passwords leaked.

Thank for you for your post

 

[inthemood]

[qupte]
Like Microsoft, Google was quick to point out that the phishing scheme was a "scam to get users to give away their personal information to hackers" and not an internal security issue. It didn't say how users fell victim to the scheme.


If you are confident you were not socially engineered to give up your password, which is all a phishing scheme really is, you are safe. The underlying issue isn't so much that the passwords are posted, most phishing schemes result in passwords being traded on certain black hat forums, as much as people are still falling for these scams.

I am the Information Systems Coordinator of a financial institution so phishing is on my radar but every single example of it I have seen had some pretty obvious signs it was not kosher.

I don't have an y of these accounts, BUT...

Had to say hi to a fellow DMB Fan!

HI

 

[FireDancer]

Thank for you for your post

You're welcome. I am always leery of how tech stories are reported because so often the main stream media either doesn't understand what they are talking about (re:conficker) or blows little things out of proportion for the scare factor (re: Y2K).

I am a little surprised at cnet though, usually they are very accurate and much of the information I saw, including my quote, was from their US site. I'll be listening to Buzz Out Loud later today so I'll see if they elaborate a bit more.

I don't have any of these accounts, BUT...

Had to say hi to a fellow DMB Fan!

HI

DMB fan?
Me?
What gave it away?

 

[luvmy3]

[qupte]
Like Microsoft, Google was quick to point out that the phishing scheme was a "scam to get users to give away their personal information to hackers" and not an internal security issue. It didn't say how users fell victim to the scheme.

If you are confident you were not socially engineered to give up your password, which is all a phishing scheme really is, you are safe. The underlying issue isn't so much that the passwords are posted, most phishing schemes result in passwords being traded on certain black hat forums, as much as people are still falling for these scams.

I am the Information Systems Coordinator of a financial institution so phishing is on my radar but every single example of it I have seen had some pretty obvious signs it was not kosher.[/QUOTE]

I didn't give my password to anyone, online or in person and my account was hacked. They used it to send emails to everyone in my contact list, which was about 2 people that I had added and now its pages of people that they addded
I couldn't log in last week and had my password reset, but didn't think much of it until today so I went and checked my inbox. I don't use my live acct often so I just thougt I had forgotten my password, I never thought someone had gotten access to my acct. I don't use that password for every acct, thank goodness. I really have no idea where they would have gotten my info

 

[FireDancer]

I didn't give my password to anyone, online or in person and my account was hacked. They used it to send emails to everyone in my contact list, which was about 2 people that I had added and now its pages of people that they added
I couldn't log in last week and had my password reset, but didn't think much of it until today so I went and checked my inbox. I don't use my live acct often so I just thought I had forgotten my password, I never thought someone had gotten access to my acct. I don't use that password for every acct, thank goodness. I really have no idea where they would have gotten my info

I am not sure how they got it. Unfortunately there are a bunch of ways people can get your password and all don't require hacking into the yahoo or hotmail or gmail servers to get it.

There is DNS Spoofing, click jacking, phishing, scripting vulnerabilities, and the most common social engineering (all of these are a form of social engineering technically).

Lets say that your yahoo account requires you to answer 3 questions to reset your password. It those three questions are either guessable or I can obtain the information somewhere else I can reset your password without having to do any online work.

What do I mean by guessable? Lets say I know the city you live in and it is small enough that it only has one High School and it is the city you grew up in. If one of the questions is what high school did you graduate from or what is your high school mascot I can get one of the three questions right there. I could search through posts you have made on boards for kids names, pet names, graduation years. Often times people have enough information in their profile or facebook accounts to guess all of their questions. Even the password is often guessable. If your password is your kids names or your birth date they may not even need to have it reset, they can just log in.

Often times you'll never really know how they got the information.

 

[luvmy3]

Well I just found that they put an alternate email on my live acct one so went I went to sign in today and hit *I forget my password*, it sent my new one to that email so they now have a copy I just went through and changed everything in my acct and my password again. Now I am in the process of going through all my other emails and website accts and changing my passwords JIC. What a PIA. As soon as I get my cashback from bing, I'm closing the acct, its all I used it for anyway so I think I got off pretty lucky compared to people who use theirs for their primary email acct.

Thanks FireDancer for all the info, you've been very informative

 

[FireDancer]

Thanks FireDancer for all the info, you've been very informative

You are welcome. It is a field I know so I try to be as informative as possible. I chime in all the time on topics I only know from the periphery so I feel I should chime in with actual information from time to time .