Hotmail passwords heisted by hackers

Mar 23
09:29

2010

M Frizzi

M Frizzi

  • Share this article on Facebook
  • Share this article on Twitter
  • Share this article on Linkedin

Neowin.net is reporting that over 10,000 usernames and passwords were publicly disclosed from users of hotmail.com, msn.com, and live.com email services. All of the accounts initially posted begin with the letter a or b, suggesting that this may be the tip of the iceberg.

mediaimage

Neowin.net is reporting that over 10,000 usernames and passwords were publicly disclosed from users of hotmail.com,Hotmail passwords heisted by hackers   Articles msn.com, and live.com email services.All of the accounts initially posted begin with the letter a or b, suggesting that this may be the tip of the iceberg.BBC News contacted Microsoft and was able to confirm the validity of the accounts that were released.Microsoft has released a public statement saying their investigation determined the IDs were stolen through a phishing attack.Part of their statement said As part of that investigation, we determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts.This raises the question of how many people fell victim to this attack, and is it still underway? I may not be able to answer these questions, but with over 10,000 accounts exposed from the first 2 letters of the alphabet the scope of this fraud could be very large.Users who have followed Grahams advice about using separate passwords for each site they use  will minimize their exposure to just Microsofts online services.Another question is what Microsoft means by due to a phishing scheme.Was this another view your blocked MSN friends website, or was it a direct phish of an impostor Hotmail login page? SophosLabs blogged about these attacks early in September, and it seems likely this may be related.Computer World reported that this may be a similar attack to the one that disclosed private emails of vice presidential candidate Sarah Palin during last years U.S.election.I find this to be highly improbable.To compromise 10,000 or more accounts in an apparently serial manner would not be practical by guessing security questions.It is far more likely an that users were duped into providing their passwords to a fraudulent website posing as Microsoft or an affiliate.My recommendation for users of Microsofts online services is to change your passwords immediately.You are better to be safe than sorry, and password rotation is something we are often too lazy to do.This is a great time to log into those Facebook, Twitter, Gmail, and Yahoo! accounts and do likewise as a simple best practice to prevent yourself from becoming a victim of habit.Password rotation is not fun, but it is a great preventative to these types of disclosures.If you are an IT administrator this would be a great time to remind your users to change their Microsoft Live!, MSN, and Hotmail passwords.Additionally, as always, be sure your anti-spam protection is current and educate your users about phishing and clicking links in email.Sophos Web Appliance customers have been protected against the MSN friends scam for some time nowArticle Submission, however technology and education are always the best solution.