Excite moves to halt password hack

The hacker who broke into email accounts on Excite.co.uk and Ireland.com this week, thinks people would be "shocked" if they realised how poor security is on Web-based email services.

Stephen Finnegan, managing editor of Irish Internet magazine Web Ireland, accessed Excite.co.uk and Ireland.com accounts Wednesday using trial and error to guess passwords. In less than an hour he had gained access to over ten email accounts.

Excite staff were reluctant to discuss the security failure, but in a statement the company admittted there is a flaw in its system. "We are currently disabling the password hint feature of our Excite UK mail service and in addition are taking further measures to ensure that this type or any other breach does not occur," the statement to ZDNet UK said.

The facility has since been removed. Both Ireland.com and Excite.co.uk are now sending password prompts by email.

Graham Cluley, senior technology consultant of software firm Sophos was not surprised the Web-based mail systems were compromised, particularly in the wake of Hotmail's recent "glitch". He is not convinced Excite's changes will make the system entirely secure. "There are other problems with Web-based email like people's email being stored in the computer's cache when they log-on in hotels, airports, etc. The next person to use the system could read their email," he said.

Despite the apparent risks Cluley doesn't think people will stop using Web-based mail. "Confidence will have been hit but it is so convenient and people like that."

Stefan Elmer, analyst with research firm IDC is not convinced consumers are worried about strangers reading their email. "My impression is that people don't really care about their email. Employers reading employees mail is a much more serious issue," he said. Despite this, he predicts a big future for sites like Hush.mail which offer encrypted services.

Worried about this spate of email cracks?

Tell the Mailroom