a password thief actually sent messages to America Online users saying, "Hello, I've got the password to your America Online account. Ha-ha!" after launching what Wired calls a rash of password theft by way of malicious e-mail sent from the free Web service OperaMail.
And AOL victims who contacted OperaMail say the offending messages contained attached programs which sent passwords back to the sender, says Wired.
OperaMail says it responded to a long line of AOL complaints - Wired says this round may have affected up to 10,000 AOL clients - by closing the offending accounts repeatedly, but Wired says the attacker re-opens new accounts almost at once and OperaMail says it cannot keep pace.
The thief was doing it by way of a Trojan horse arriving at an unsuspecting AOL user's inbox. The Trojan horse launches a program upon being opened in the inbox which gets the password from the user's hard drive and sends it right back to the thief's OperaMail address.
Wired says this is similar to the process which stole user accounts maintained by ICQ, the instant messaging service AOL now owns. AOL is investigating the latest outbreak. Wired says this one, though, may have been a security breach done for show rather than massive destruction, based on the hacker's rather brazen messages.
A newsletter which monitors AOL calls this the latest in a round of vulnerabilities AOL does not address adequately. "It's part of a larger pattern," says AOL Watch editor David Cassel.
"In 1996, the Washington Post reported AOL cancelled 370,000 accounts in one three-month period for 'credit card fraud, hacking, etc.' And by 1998, hackers had hit at least 34 AOL areas -- including Steve Case's monthly column for AOL users."
Cassel tells Wired that, rather than tune up its rapid response, AOL has quietly adopted a "hackers happen" attitude.
