Google's Gmail and Yahoo's Mail were also targeted by a large-scale phishing attack, probably the same one that attacked at least 10,000 passwords from Microsoft's Windows Live Hotmail, according to a report by the BBC.
Google described the issue as an industrywide phishing scheme. BBC News said it has seen two lists posted online with more than 30,000 names and passwords from Gmail, Yahoo, AOL, Microsoft's Windows Live Hotmail, and other service providers.
We recently became aware of an industrywide phishing scheme through which hackers gained user credentials for Web-based mail accounts including Gmail accounts, a Google spokesperson said.
The search engine giant said their servers were not responsible for the security breach and that individuals had been conned into handing over their details. But it has been reported that more lists have also been circulated with genuine account information relating to email on Google, Yahoo, Comcast and Earthlink, as well as other third-party web mail services.
Neil O'Neil, an ethical hacker and digital forensics investigator at secure payments specialist The Logic Group, told Sky News that up to a million passwords could have been accessed.
Making the breach public so soon after the attack occurred has allowed unethical hackers to access the passwords very easily, even though they were deleted a couple of days ago at the request of Microsoft, he explained.
People tend to have the same password across many accounts — so there is a good chance that individuals have also compromised the integrity of their eBay or PayPal accounts too.
The list went through A and B, so you would think whoever released these has more. And if you do the maths, they could have more than a million passwords.
Neowin.net, the site that first reported the Hotmail account hijacking early Monday, added today that it had seen the same list of compromised accounts as the BBC.
Neowin can today reveal that more lists are circulating with genuine account information and that over 20,000 accounts have now been compromised, according to the report on its site.
[The] new list contains e-mail accounts for Gmail, Yahoo, Comcast, EarthLink and other third-party popular Web mail services.
The passwords apparently first hit the Internet on October 1.