Attack on Yahoo e-mail may spawn more phishing scams

ByABC News
July 12, 2012, 7:44 PM

— -- You now have one more reason to be wary of viral e-mail slipping into your inbox this summer.

Yahoo on Thursday confirmed the theft of 450,000 Yahoo users' e-mail addresses and passwords. The thieves posted the data on a hackers' website with a warning for Yahoo, which stored the information in plain text, to beef up security.

The Yahoo breach followed by two days the disclosure of a similar hack of Formspring. The social-networking site on Tuesday announced it was taking steps to disable nearly 30 million registered users' passwords after someone breached its databases and posted 420,000 encrypted passwords on the Web. And in early June, encrypted passwords for nearly 6.5 million LinkedIn users turned up on a Russian hacker forum.

Stolen e-mail usernames and passwords have become like gold in the cyberunderground. That's because access to online financial accounts, social networks and business networks often revolve around e-mail logins.

What's more, many people tend to use weak passwords, or the same passwords, for multiple accounts, security experts say.

Cybercriminals have become adept at correlating a victim's Web e-mail passwords to his or her workplace accounts. This can help them carry out scams to get e-mail recipients to click on a viral Web link; such scams make use of e-mail that appears to come from a trusted source, says Marcus Carey, security researcher at Rapid7.

Yahoo noted that only 5% of the publicly posted e-mail account logins were valid. However, the hackers who claimed credit for the Yahoo breach may have posted only some of their booty, says Jim Fenton, chief security scientist at identity management firm OneID. "They could be out to improve their reputation in the underground market to get more business later on," says Fenton. "We don't know if 450,000 passwords is everything or just a fraction of what they've got."

Companies are also at heightened risk. "If you're running a large network, there's a good chance one of your users' passwords has fallen into the hands of someone who intends to use it to access your network by impersonating your employee," says Tom Cross, research director at network security firm Lancope. "We're beginning to see that passwords are an increasingly suspect security tool,"

Individuals can protect themselves and the firms they work for by using strong passwords, changing them often, and using different passwords for different accounts, says Grayson Milbourne, researcher at security firm Webroot.