A Swedish hacker calling himself "DEranged" attracted media attention over the past couple weeks by posting a list of 100 government email usernames and passwords. His list included email accounts used by embassy officials from India, Russia, Iran, Hong Kong, and others. A few journalists verified that these credentials could indeed be used to access private email.
At the time of his original disclosure DEranged (his real name is Dan Egerstad) withheld details on how he came into possession of the passwords, instead writing that "there is no exploit to publish, no vendor to contact". Today he posted an entry on his blog describing how he used newer software to exploit an older problem.
Egerstad established several computers as nodes in the Tor network. As a part of this network, these computers would act as intermediary routers in the delivery of Internet traffic. By routing this traffic Egerstad also gained the capacity to capture and analyze any unencrypted packets sent through his systems. He then used this access to collect thousands of usernames and passwords transmitted to email servers in the clear.
I will not praise Egerstad due to his poor ethics in disclosing passwords in the manner that he did, but ultimately he is right in pointing out the serious shortcomings of protocols that still transmit unencrypted passwords.
There have been secure alternatives to POP3, such as POP3 over SSL, for some time. However, many companies and service providers fail to offer them, let alone make them the default setting. Organizations can only justify this continued practice because of the difficulty in detecting password capturing attacks. IT personnel can avoid responsibility by dismissing password thefts as a user problem resulting from phishing attacks or software trojans. This is an unacceptable response.
With the growing number of mobile users and wireless networks, the opportunities for password capture attacks will increase. If you are using POP3, Telnet, HTTP, FTP, or any other unencrypted protocol for transmitting passwords, look into alternatives today. People with more dangerous agendas than Egerstad will be watching to see if you do.