Microsoft has confirmed that the username and password details of several thousand Hotmail accounts have been posted to third-party hosting site pastebin.com, apparently as a result of a phishing scam.
As reported by Neowin
, the leak saw around 10,000 account details - sorted alphabetically and representing accounts A through B - briefly hosted on pastebin.com before being removed by site administrators.
Whilst initially rumours were rife that the details were retrieved as part of a database crack, Microsoft has confirmed that the "Windows Live Hotmail customer's credentials were exposed on [the] third-party site due to a likely phishing scheme
" rather than as the result of an attack directly on Hotmail's security. Accordingly, Microsoft requested that the site remove the account details and has "launched an investigation to determine the impact to customers.
While the data has been removed from sight, the phisher who originally collected the credentials was unlikely to entrust his only copy to pastebin.com. The fact that the accounts were for addresses starting A through B inclusive also indicates that either the phishing attack was particularly targeted or the leaked details represent only a small fraction of the accounts harvested - potentially meaning hundreds of thousands of accounts are affected.
Microsoft has categorically stated that this leak was not the result of "a breach of internal Microsoft data
" and has stated that it has "initiated our standard process of working to help customers regain control of their accounts.
" For now, Hotmail users are advised to change their passwords and security questions immediately.
Do you believe that so many users could fall prey to a phishing scam, or is there something Microsoft isn't telling us? Share your thoughts over in the forums