The company, famous for it’s search engine business, confirmed that fewer than 500 of its Gmail users have been affected and immediate action has been taken to force all of those attacked to reset their passwords.
A Google spokesperson said: “We recently became aware of an industry-wide phishing scheme through which hackers gained user credentials for web-based mail accounts including Gmail accounts. As soon as we learned of the attack, we forced password resets on the affected accounts. We will continue to force password resets on additional accounts when we become aware of them.”
Only yesterday Microsoft also confirmed that a phishing attack was to blame for the 10,000 Hotmail passwords posted online. However, both Microsoft and Google have firmly stressed that the attacks have not breached their own respective security systems. Instead the way a phishing attack works is by hackers and cybercriminals tricking individual web users into clicking on links that take them through to a legitimate-looking site that prompts them for their login or password details. That information is then fed back to hackers.
However, according to BBC reports, a further 20,000 email addresses and passwords were also released online, which included people with Gmail, Yahoo, and AOL accounts.
The leak of people’s personal email accounts first came to light on Monday, when technology website, Neowin, discovered a list of more than 10,000 Hotmail addresses and passwords posted on a website called Pastebin. It has since been removed.
Tom Warren, one of Neowin’s writers, also confirmed that the attacks had stretched beyond Gmail and Hotmail accounts – with users of other popular US web based email services such as Comcast and Earthlink – having been affected too.
Lukas Oberhuber, chief technical officer, at the Forward Internet Group, said: “Phishing attacks, such as the one that has now spread to Gmail, are almost impossible to stop because they convince victims they are inputting their private details into a safe website. It’s all about convincing people, which scammers have been doing forever.
“Banks have done much more to protect against phishing than consumer websites such as Hotmail, Gmail and Facebook. They’ve introduced measures such as onscreen keyboards and requesting security questions, so that an attacker might not get all the login details. However, all an attacker needs to do is create a fake website and many of the security measures are defeated.
“The online industry is attempting to educate the public on the dangers of phishing. But every site handles security differently. Ironically, Microsoft’s own form to recover a hotmail account from the recent phishing attack looks exactly like a phishing form, requesting details such as date of birth and credit card expiry date.”