In association with heise online

09 October 2009, 12:03

Some phished Yahoo and Hotmail accounts still open

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Contrary to previous statements, Microsoft and Yahoo have by no means blocked all the accounts whose access credentials were recently published on the internet. On the list, The H's associates at heise Security found several Hotmail and Yahoo accounts that are still accessible and seem to show some suspicious activity.

Thomas Springer of the Serversniff blog found out that the email access credentials published, and subsequently deleted, on Pastebin keep reappearing in various places on the internet. Not wanting to blindly trust the email providers' assurances that everything is under control, he tested some of the access details and established that by no means all the accounts have been blocked.

Password List
Zoom The password list contained some 24,000 entries.
heise Security was able to locate the list on the internet without much effort and could, in essence, confirm Springer's report. When running through the data, we quickly found valid access credentials that allowed us to access the respective Yahoo and Hotmail accounts. The "big" list in circulation on the internet contains about 24,000 entries, with the first 10,000 of them beginning with A or B as previously reported. The heise Security team found, for example, that only ten accounts are on the list, and they have all been blocked or issued with a new password. They were unable to confirm Springer's conclusion that Yahoo has hardly responded at all, but this could be due to a time zone delay.

Yahoo Account
Zoom Targeted accounts could likely still contain sensitive data.
Interestingly, some of the email accounts already contained change-of-password notifications issued in the past few days by services such as Paypal. It also appears that emails potentially containing sensitive data, for example a bank's change-of-password notification or other banking communications, had been specifically selected and opened in the inbox. This gives rise to the conclusion that these email accounts had already been under systematic scrutiny. It is doubtful that curiosity would be the only motive for this.

Some experts have begun to question the email providers' assurance that the data was obtained exclusively via phishing and, therefore, revealed by the users themselves. For example, security expert Mary Landesman believes that the data format and its vast quantities point instead towards a trojan recording the information on infected PCs. This is reinforced by the list also containing several hundred website addresses with suitable access credentials. On the other hand, entries like "not telling" do sound as if someone smelled a phish.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit