Gmail, Yahoo and AOL dragged into Hotmail hack alert

The theft of thousands of passwords to online email services is now known to include account details for all major e-mail providers, including Hotmail, Gmail, Yahoo and AOL.

Full details of over 10,000 e-mail accounts were published on a specialist website for developers on October 1. As reported yesterday, the list was believed to comprise Microsoft Hotmail accounts, but it has since emerged that users of other e-mail services, such as Google’s Gmail, may also have had their passwords stolen.

Microsoft is investigating how a hacker apparently accessed more than 10,000 accounts with addresses ending hotmail.com, msn.com and live.com. The details were posted on a site used by technology experts last week but have since been removed.

A Microsoft spokesman confirmed that the details were obtained as a result of a phishing scam. “We are working diligently to help customers regain control of their accounts,” he said.

In a statement, the company said: "We are aware that some Windows Live Hotmail customers’ credentials were acquired illegally by a phishing scheme and exposed on a website. Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation. As part of that investigation, we determined that this is not a breach of any Microsoft servers. Subsequently we are taking measures to block access to all of the accounts that were exposed and have resources in place to help those users reclaim their accounts."

In a statement today, Google said: "We recently became aware of an industry-wide phishing scheme through which hackers gained user credentials for web-based mail accounts including Gmail accounts. As soon as we learned of the attack, we forced password resets on the affected accounts. We will continue to force password resets on additional accounts when we become aware of them.

"This is not a breach of Gmail security, but rather a scam to get users to give away their personal information to hackers. Once the attackers gain user credentials, they can easily access and modify the affected accounts as they desire. This may include changing a user's contact list, altering the inbox, or even deleting the account.

"We recognise how many people depend on Gmail, and we strive to make it as secure as possible by consistently fighting spam and providing security features to users. To keep your Google account secure online, we recommend you only ever enter your Gmail sign-in credentials to web addresses starting with https://www.google.com/accounts, and never click-through any warnings your browser may raise about certificates. We also provide the option to run Gmail sessions using https and strongly encourage users to update their secondary email address and SMS recovery option in case their account is compromised."

Phishing is a process where members of the public are duped into handing over their personal details, such as user names, passwords and credit card details. Victims send the information by e-mail to people posing as banks or online stores.

Data can also be stolen by infecting a person’s personal computer with viruses and then raiding it for information.

If you are concerned about the safety of your account, you should log in as soon as possible and change your password. If you cannot log in, your password may have been stolen and changed by an unauthorised user.

If you believe that your Microsoft account has been compromised, you should follow this link to the company’s help page.

If you believe your Gmail account is at risk, you should head to this page.

Tom Warren, a writer on Neowin.net, the technology blog that first revealed the breach, said that most of the compromised Hotmail passwords were from Europe, suggesting that many British addresses could have been among those compromised.

Hotmail has more than 14 million users in Britain - around five million more than its closest rival, Yahoo! Mail - and about 28 per cent of the total users of webmail services, according to Nielsen figures.

Social networking sites such as Twitter were abuzz with the reports, with users advising each other to change their e-mail passwords immediately.

Lukas Oberhuber, chief technical officer of the online specialist the Forward Internet Group, said: "Phishing attacks, such as the one that has now spread to Gmail, are almost impossible to stop because they convince victims they are inputting their private details into a safe website. It's all about convincing people, which scammers have been doing forever.

"Phishing has been going on for years, so these compromises are no surprise. At the same time, the attacks get more and more sophisticated all the time. All the latest versions of the major browsers, Internet Explorer, Firefox and Safari, have in-built phishing protection. The problem is, it doesn't work for phishing websites they don't know about."

Microsoft is the latest in a long line of big organisations, from the UK Government to major banks, to have been faced with internet security breaches recently.

Earlier this year The Times revealed that around four million British identities had been stolen and made available on the web. Lucid Intelligence, a British company, had intercepted highly sensitive financial information, including credit card details, bank account numbers, telephone numbers and even PINs, all of which had been made available to the highest bidder.

In 2007 the personal and bank details of 25 million people — almost every child in the country, as well as their parents and carers — were lost by HM Revenue & Customs. The information went missing when two CDs containing the details were mislaid.