The scale of a phishing attack originally thought to be directed at Hotmail may be larger than previously thought.

 

BBC News has seen a list of more than 20,000 more names and passwords that have been posted online.

 

The list contains e-mail addresses and passwords from Hotmail, Yahoo, AOL, Gmail and other service providers.

 

The list was published on the same website as the original list of 10,000 Hotmail login details.

 

Some of the accounts appear to be old, unused or fake. However, BBC News has confirmed that many - including Gmail and Hotmail addresses - are genuine.

 

Other addresses include Comcast and Earthlink accounts.

 

It is not clear whether the list was part of the same phishing attack that collected the Hotmail addresses or a separate scam.

 

Phishing involves using fake websites to lure people into revealing details such as bank account details or login names.

 

A spokesperson for Microsoft said phishing was an "industry-wide problem".

 

"Our guidance to customers is to exercise extreme caution when opening unsolicited attachments and links from both known and unknown sources, and that they install and regularly update their anti-virus software."

 

Password change

 

Technology blog neowin.net was the first to publish details of the original attack. It said the accounts were posted on 1 October to pastebin.com, a website commonly used by developers to share code.

 

The Pastebin website is currently down for maintenance.

 

Its owner, Paul Dixon, told Neowin that it had received "an unprecedented amount of traffic".

 

"Pastebin.com is just a fun side project for me, and today it's not fun. It will remain offline all day while I make some further modifications," he told Neowin.

 

Security expert Graham Cluley of Sophos advised users to change their passwords as soon as possible.

 

"I'd also recommend that people change the password on any other site where they use it," he said.

 

About 40% of people use the same password for every website they use, he added.

 

--------

 

So change your passwords!

if you still have a trojan in your computer i think changing the password will not do much... i would re-install the system or move to only use some Linux system.

 

scary news, that's why my phising alert is high on my mail accounts and i never click a link on an email, unless is from someone i trust or i know for sure the link given is correct and not a tricky one.

 

i even got to email my friends warning them about their spam sent to my account from them.... i aware they could get those problems, to some of them i even had to got to the strict point to warn them next spam i'll get from them i'll ban them from my friends list. :\

It's easy to fake the "sender" address.

^^Yeah I get alot from people pretending to be my contacts.

If in doubt, ask your contact if they did indeed send you that email.