The German BSI (Bundesamt für Sicherheit in der Informationstechnik, translated as Federal Office for Information Security) just discovered that 16 million email accounts have been stolen. The cyber criminals responsible are using many of these hacked accounts to send spam and obtain access to other connected accounts on sites such as Facebook.

The BSI has stated that it is likely that most of the emails and passwords were obtained by hacking into various other websites and databases. Since users tend to reuse passwords, if they can find your password in once place it's quite often a universal admissions ticket for hackers.

In theory, if everyone checked that there were no suspicious alternate email addresses set on their accounts, and then simply changed their password, everything should be fine. And the BSI does suggest this course of action. However, what they've done additionally is to provide a site where users can enter their email address, and the BSI will check their database and send you an email to indicate whether or not your account was amongst the hacked accounts.

This is a terribly insecure idea for a number of reasons. The first of which they've already observed: the cyber criminals responsible have also seen the announcement, so they are sending spoofed emails claiming to be from the BSI, however they actually contain a link to malware which users will trust to be a safe link to click. The second, and potentially more dangerous, side effect is that any hacker could easily create a particularly effective phishing site based on this online test the BSI has provided.

The online test provided by the BSI, https://www.sicherheitstest.bsi.de/ is a relatively simple-looking website with a single input field for entering your email address. A hacker could simply register "https://www.sicherheitstest-bsi.de/" (note the hyphen between sicherheitstest and bsi), and setup an identical site to collect email addresses. Upon receiving an email address, the hacker can send an email to this user stating that their account has indeed been hacked, and then provide a link where the user can change their password by entering the old and new passwords, with which the hacker can additionally collect the user's password.

To any users who may be amongst those affected by these attacks, exercise caution when attempting to use any tools such as this online test, and always take care when clicking links in emails.

Sources:
CHIP.de
BSI