On Monday it became clear that a list of Hotmail account details had been leaked online, with the probability that the number of compromised accounts could be much larger than the 10,000 or so published. Since then a second list of account names and passwords has been posted, which showed that the scam extended to include other webmail services from Google (Gmail) and Yahoo. Security firm Websense has now reported an increase in spam emails being sent from Yahoo, Gmail and Hotmail accounts. Compromised accounts have been sending out personalised e-mails to addresses found in user's contacts with links to fake websites.
That the number of accounts has now been highlighted as being relatively substantial has some suggesting that rather than being exclusively a phishing scam (which have quite a low success rate) it is possible that key-logging malware may have been involved. It is recommended that anyone who believes they may have been affected change their email passwords immediately, though it is probably best to conduct a thorough scan using up to date virus software before hand. The scam has also prompted discussion about how users handle managing multiple complex passwords. Many choose more easily memorised and therefore less robust passwords for this reason, or use the same password in a number of locations. Security Advisor Sean Sullivan of F-Secure has even gone as far as to go against conventional wisdom and suggest writing down web based passwords if it means the difference between picking a weak one or a strong one.