More email passwords posted to the Internet: Experts detect spam increase

A new email list seen by CNET UK, containing hundreds of addresses and passwords, has been posted to text-sharing site PasteBay -- sister site to BitTorrent tracker The Pirate Bay.

Addresses ending in hotmail.co.uk, yahoo.co.uk, gmail.com, aol.com, hotmail.com, aim.com and other domains were posted to the site late last night. Users with accounts at these email sites are strongly encouraged to change their passwords immediately.

Initial lists, first discovered by tech blog Neowin, contained accounts beginning mostly with the letters A and B. This new list, however, contains accounts beginning mostly with the letters T to Z. Users whose email addresses begin with these characters are even more strongly encouraged to change their passwords.

Furthermore, it appears many accounts within these lengthy lists of email addresses are present in other lists now circulating the Internet. Some of these lists appeared as early as 29 September.

"We have detected a marked increase in spam"

In an email to CNET UK, Websense Security Labs believes compromised accounts have been used to send spam.

"The spam emails are being sent from user accounts to contacts in their address book -- so people will think the email came from a friend or known contact," Websense explained. "[We have] detected a marked increase in the number of spam emails which have been sent from Yahoo, Gmail and Hotmail accounts over the last few days."

We reported yesterday that we had seen lists containing thousands of usernames and passwords to Hotmail, Google and Yahoo accounts. All three companies confirmed they had taken action to protect the compromised accounts and blamed the leak on phishing attacks.

"Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation," Microsoft explains. "As part of that investigation, we determined that this is not a breach of any Microsoft servers."

Google assured us its position was similar. "As soon as we learned of the attack, we forced password resets on the affected accounts," it said. "We will continue to force password resets on additional accounts when we become aware of them."

Yahoo also confirmed it knew of the leaks. "We are aware that a limited number of Yahoo! IDs have been made public," it told us in a statement this afternoon. "Online scams and phishing attacks are an ongoing and industry-wide issue and Yahoo! takes great effort to protect our users' security." It advised its users to change their passwords immediately if they believe their accounts have been compromised.

We will continue to update you as and when we discover more and have informed Microsoft, Google and Yahoo of this new information. But Hotmail, Yahoo Mail and Gmail users are, once again, strongly encouraged to change their passwords immediately.