Broadband News

Webmail contact lists at risk from brute force password hacking

PC Pro has reported that Virgin Media customers are reporting spam being sent to all the email addresses in their contact lists on their webmail accounts. Similar issues are being reported by Yahoo and GMail users.

The most likely explaination is that hackers are running dictionary based attacks on various webmail systems, which is a very good way to get around things like SMTP (TCP port 25) restrictions.

While there is a great deal of pressure to re-use passwords as we all have so many of them, alerts like this highlight the importance of keeping passwords unique, and ensuring they are not easy to guess. Attempting to avoid dictionary attacks with subsitution of i for 1 or 0 for o are not going slow down automated attacks at all, as the coder can easily include these substitutions.

If your webmail has been hacked, before altering the password do ensure that your computer is free of viruses and malware. It would also be worth warning contacts by word of mouth or text message to be wary of emails particularly those that include attachments.


I love the PC Pro Article, Both Virgin and Google have a "not our problem" attitude yet it's their systems that are being attacked and they just don't care.

  • undecidedadrian
  • over 9 years ago

" are not going slow down"

Shouldn't that be "are not going to slow down"

  • MrTAToad2
  • over 9 years ago

Turning on 2 step authentication on gmail would help. I've recently switched this on and it isn't too intrusive once all your devices are configured.

  • gmoorc
  • over 9 years ago
'nuff said.

  • TWeaKoR
  • over 9 years ago

Easiest way to stop a dictionary/brute force attack - 3 failed tries the account is & locked for an hour, 3 further failed attempts after that, locked for a day.

Doesn't Gmail do this?

  • greemble
  • over 9 years ago

Denis publishing just loves to send out spam, the lengths they go to to get one's details for their and third party 'marketing'.

  • drteeth
  • over 9 years ago


This is simply not true especially in the case of google that offers a 2 stage authentication so that even if someone guesses your password they need to enter another verify code sent to the owners phone by sms/= or an android app if the device has not previously been used

  • miketuck3r
  • over 9 years ago

Whilst away from home last week I checked my Virgin webmail and discovered 'I' am sending out spam for fake watches... What to do? No trace in Processes, Add-ons or Programs.

  • clive4
  • over 9 years ago

All my email account address books have 2 odd entries, viz, 'aaaaa' and 'zzzzz'. If I receive a dodgy email that tries to resend itself to my contacts it will fail because there is no address for these entries (a tip I got from Rick Maybury of The Daily Telegraph a few years ago).

  • barsinister
  • over 9 years ago


First step is run the anti-virus and a malware checker.

The likelihood is that this is spoofed email, i.e. not really sent by you, but where the details are made to look like you did it.

  • andrew
  • thinkbroadband staff
  • over 9 years ago

Post a comment

Login Register