Thousands of Hotmail accounts leaked

Author: Gareth Halfacree
Published: 6th October 2009
Comments (20) Stumble
Thousands of Hotmail accounts leaked

Thousands of passwords for Windows Live Hotmail accounts were briefly hosted on pastebin.com, apparently as the result of a phishing attack.

Microsoft has confirmed that the username and password details of several thousand Hotmail accounts have been posted to third-party hosting site pastebin.com, apparently as a result of a phishing scam.

As reported by Neowin, the leak saw around 10,000 account details - sorted alphabetically and representing accounts A through B - briefly hosted on pastebin.com before being removed by site administrators.

Whilst initially rumours were rife that the details were retrieved as part of a database crack, Microsoft has confirmed that the "Windows Live Hotmail customer's credentials were exposed on [the] third-party site due to a likely phishing scheme" rather than as the result of an attack directly on Hotmail's security. Accordingly, Microsoft requested that the site remove the account details and has "launched an investigation to determine the impact to customers."

While the data has been removed from sight, the phisher who originally collected the credentials was unlikely to entrust his only copy to pastebin.com. The fact that the accounts were for addresses starting A through B inclusive also indicates that either the phishing attack was particularly targeted or the leaked details represent only a small fraction of the accounts harvested - potentially meaning hundreds of thousands of accounts are affected.

Microsoft has categorically stated that this leak was not the result of "a breach of internal Microsoft data" and has stated that it has "initiated our standard process of working to help customers regain control of their accounts." For now, Hotmail users are advised to change their passwords and security questions immediately.

Do you believe that so many users could fall prey to a phishing scam, or is there something Microsoft isn't telling us? Share your thoughts over in the forums.
Quote Orothe 6th October 2009, 10:57
As long as you type in the "www.hotmail.com" aren't you safe? Guess I never understood how phishing scams worked. Always thought it was sites that were CLOSE in name that looked exactly like the correct site. Feel free to correct me if I'm wrong though..

And here I loved hotmail because of the awesome filter they had. (Since my Yahoo has been hacked twice and has over 500 spam messages, and I never used it.)
Quote proxess 6th October 2009, 11:14
GMail all the way <3!! Or install your own e-mail server at home!
Quote shigllgetcha 6th October 2009, 11:19
i dont want someone else looking at all my spam
Quote Arkanrais 6th October 2009, 11:24
the only time I've had someone get into my hotmail without my permission, I changed my password within 3 minutes and didn't see any more fishy crap going on (had them signing into my MSN too).

if it's only thousands of accounts leaked, then I'd think it is from phishing scams and not a data breach.

oh, and yeah. yahoo is crap at spam filtering. when I first started an email account with them,I had many african princes,m princesses, beneficiaries and investors wanting to send me money despite not having given my email & details to any site (they all knew my supposed name).
Quote Trefarm 6th October 2009, 11:41
I reckon that there's more to this... I would be surprised if someone ran a phishing scam only to give the data away, plus it's a strange site to up the data on. My bets a hack.
Quote Orothe 6th October 2009, 12:12
Well I suppose if it was a hack, they either didn't get very far, or they weren't being serious. They didn't corrupt hotmail, and what can you obtain by stealing e-mail accounts? I doubt anybody's stupid enough to save their bank account credentials and such. If they do, they deserve to be hacked. Seems like all they could do was hack the list of accounts and copied them. The worst damage you could do is share all those accounts with known sites to cause spam, which hotmail has a good spam filter, so that seems pointless too..

Iunno.. Either there's more to it, or it's completely stupid. I'm not worried about it, and I've got nothing they can obtain by stealing my hotmail... Not to mention it's not hard to make a new e-mail..

Still gotta look up Phishing Scams after this. I'm pretty sure it's a site that has a similar name but looks exactly like the original. In that case, it'd only affect those that typed it in wrong to begin with.. If I'm wrong, feel free to correct me.
Quote mi1ez 6th October 2009, 12:25
Quote:
Originally Posted by proxess
GMail all the way <3!! Or install your own e-mail server at home!

Bad news, they got google too!

http://news.bbc.co.uk/1/hi/technology/8292299.stm
Quote dyzophoria 6th October 2009, 12:27
for my important mail I doubt i'll use a "free" webmail service..
Quote proxess 6th October 2009, 12:33
Quote:
Originally Posted by mi1ez
Bad news, they got google too!

http://news.bbc.co.uk/1/hi/technology/8292299.stm

<3 IM systems...
Quote javaman 6th October 2009, 13:04
Quote:
Originally Posted by Arkanrais
the only time I've had someone get into my hotmail without my permission, I changed my password within 3 minutes and didn't see any more fishy crap going on (had them signing into my MSN too).

if it's only thousands of accounts leaked, then I'd think it is from phishing scams and not a data breach.

oh, and yeah. yahoo is crap at spam filtering. when I first started an email account with them,I had many african princes,m princesses, beneficiaries and investors wanting to send me money despite not having given my email & details to any site (they all knew my supposed name).

TBH hotmail, gmail and yahoo all have terrible spam filtering. Haven't used yahoo in a while tho but my GF gets 100's through a day. My gmail gets the most spam overall too. It gets about 1000 a week while my hotmail only get a few hundred a week. only 1 outta 5 are actually successfully filtered tho. I would love to set up my own web server. Definatly something im gonna look into to put on my CV with my placement comming up next year.
Quote BradShort 6th October 2009, 13:04
Only a matter of time until a really big breach occurs. It almost inevitable. Really complex passwords are pointless as phishing and data breaches renders them useless
Quote Sir Digby 6th October 2009, 14:29
Aaand password is changed, even I'm certain I've not fallen for any phishing websites.

I never seem to get too much spam on hotmail, certainly <100 a week and all but one every week or two gets correctly filtered into spam.
Quote Arnaud31 6th October 2009, 14:54
My Msn hotmail hacked so several time that i turn off definitively !!! Just used Free webmail now ...
Quote Jewels 6th October 2009, 14:58
With Hotmail, Yahoo, AOL, GMail, Comcast and Earthlink accounts being compromised, it's definitely a result of phishing.
Quote thehippoz 6th October 2009, 17:09
it used to be really bad in the 90's.. I mean so bad it was a total joke to hack hotmail accounts- you just had to have the person logged in checking thier email, you could craft the url and access the account.. you could even brute force if they weren't on- there was no limit to the number of attempts XD then if they were on icq (which was the messenger to have at the time) you could see their ip when they were on- add them without their permission

oh those were the days.. and with the oob exploit you could crash their computer to blue screen on windows 95.. take over their icq account which was also unlimited in attempts- simple dictionary attack and throw in a name list.. those days were ruthless

hotmail used to be the worst ever.. I bet they still hold large botnets with trolls nowdays- too many people out there who have no clue.. just a porn box
Quote RichCreedy 6th October 2009, 19:04
you only need to change your password if you replied to the email asking for the details.

it was a phishing scam, an email was sent saying you would lose your account if you didnt provide relevent details

name
password
alternate email address
security questions

etc

gmail, hotmail, yahoo, aol all affected
Quote xprodancer 6th October 2009, 20:27
the thing is with hotmail is that all spam and phishing emails go into your junk folder! all i have ever done and always will do is empty it
without opening a single email! your protected!
Quote Orothe 7th October 2009, 01:53
Exactly, I have always loved hotmail and the awesome filtering they do. And I share it, every time I register for a game or for a forum, I give my exact e-mail address. True I get about 5-10 junk mails a week but it's IN the junk folder, no harm done.

As for anybody getting an e-mail asking for name, password, ect.. That's just plain stupid. If they had the power to destroy your account, they'd certainly be able to access what your password was.

Seriously.. Common Sense.. Where in the hell are people losing theirs? =.=
Quote xprodancer 7th October 2009, 02:36
Quote:
Originally Posted by Orothe
Exactly, I have always loved hotmail and the awesome filtering they do. And I share it, every time I register for a game or for a forum, I give my exact e-mail address. True I get about 5-10 junk mails a week but it's IN the junk folder, no harm done.

As for anybody getting an e-mail asking for name, password, ect.. That's just plain stupid. If they had the power to destroy your account, they'd certainly be able to access what your password was.

Seriously.. Common Sense.. Where in the hell are people losing theirs? =.=

AMEN ;)
Quote RinSewand 9th October 2009, 18:53
http://www.acunetix.com/blog/websecuritynews/statistics-from-10000-leaked-hotmail-passwords/

Some interesting password statistics from the recent leak.

RwD
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.