This page is an archived 10+ year old article and is severely outdated. Since its publication in 2010, the companies mentioned below and pretty much the entire web moved their login forms and often entire websites to HTTPS.
Still, this historical article demonstrates how even big companies might not follow security best practices and as a result endanger their customers.
There is an easy solution to this problem - when sending sensitive information a website should always use a secure protocol such as HTTPS. This way, attackers listening to the communication only see encrypted info they cannot decrypt. You know that your communication is secure when the website address starts with 'https:' and your browser displays a lock icon and additional UI cues.
While most websites implemented a secure way to send login information, their implementation is flawed, still allowing a malicious attacker to steal your login information.
In order for the secure login form to protect you, both the page that displays the login form and the page the form is being submitted to need to be HTTPS.
Many of the biggest sites on the Web have non-HTTPS pages hosting the actual login form, even if they submit the login info to an HTTPS page.
A malicious attacker can easily inject some code to the non-HTTPS page that hosts the login form, and steal your info just before it is being securely submitted.
Check out the StealMyLogin demo.
Similarly to many sites, in the demo a non-HTTPS page contains a login form that is securely submitted to an HTTPS page.
Want to try this attack yourself on one of your favorite websites? Just drag the following link StealMyLogin to your browser's toolbar, navigate to a non-HTTPS page that has a login form, click on the bookmarklet to simulate an attacker injecting a malicious piece of code into the page, and proceed to login into the service.
List of offenders
This is obviously a very partial list, but it's amazing how many of the biggest sites on the Web have this significant security flaw.