This fall, more than 20,000 stolen usernames and passwords for such Webmail providers as AOL, Gmail, Hotmail, and Yahoo appeared on Pastebin.com, a programmer's Website.
The Webmaster, Paul Dixon, wrote that "for reasons unknown," some "miscreants" posted the data on his site. Dixon removed the stolen info, which Microsoft and some security researchers theorize was gathered through phishing attacks.
A researcher at ScanSafe argues that the data may have come from password-stealing malware, not phishing. Either way, crooks clearly aren't after only bank accounts and other financial log-ins. They also want access to your Webmail. But why? A friend of mine was recently hit by a scam, and her experience helps answer that question. After her Hotmail account was hacked, every message she sent included an unwelcome advertisement.
Crooks have also begun using stolen Webmail and Facebook accounts to send pleas supposedly from a victim to friends or contacts. Some bogus messages claim the sender is stranded overseas and needs an urgent wire transfer of funds.
Don't Pass the Password
To guard against password thieves, I use LastPass. The tool offers a free password-managing add-on for Firefox on Windows, Linux, or Mac OS X; Internet Explorer on Windows; and Safari on Mac OS X. An add-on for Google Chrome is under development.
LastPass fills in your username and password for verified sites that match a real URL; phishing scams that use similar but fake Web addresses won't deceive it. And because you don't type your password, keylogger malware can't capture your keystrokes and nab your password.
Other apps, like Password Hash, offer similarly worthwhile protection, but LastPass stores all of your data on its servers (using 256-bit AES encryption) as well as on your PC. Since the company never has the software decryption key or your password, nobody at LastPass can get to your info.
Because your data is stored centrally, you can use the add-on with any browser, log in with your LastPass master account info, and access all of your passwords. Even without the add-on, you can log in to LastPass's site to get to your information. That means you should create a fairly complex master password for the LastPass site, but it also means you have a de facto backup if your PC goes kaput.
The handy add-on can automatically log you in to sites and can fill in forms, but for better security you should change some of its default settings. For instance, it normally keeps you logged in to your LastPass account for two weeks, even if you close and re-open the browser; to prevent someone from sitting at your desk and accessing your accounts, click Preferences and check Automatically logoff after idle. I set mine to log off my LastPass account after an hour.
It's also smart to require a password reprompt for sensitive accounts; the app will ask for your master password before filling in the username and password, even if you're already logged in. You can enable this when the add-on automatically asks if you want to save a newly entered password. LastPass offers applications for the iPhone, BlackBerry and other mobile devices, too, but those will cost you $12 per year.