Microsoft Confirms Hotmail Passwords Exposed
Tuesday, October 06, 2009


SEATTLE — Microsoft Corp said Monday that passwords belonging to some users of its Hotmail email service were exposed on an Internet site, but had since been taken down.

The company did not say how many users were affected, but some reports suggested that passwords to more than 10,000 accounts were exposed.

"We are aware that some Windows Live Hotmail customers' credentials were acquired illegally by a phishing scheme and exposed on a website," a Microsoft spokesman said.

Phishing is a scam whereby fraudsters get hold of personal information by sending out emails under the guise of a bank, IT department or some other trustworthy source.

Microsoft said the passwords had been removed from the offending website, which it did not identify, and said it had blocked access to all affected accounts and was helping users to reclaim their Hotmail accounts.

The software company said the exposure of the passwords was not a breach of any Microsoft servers.

Password Scam Widens To Google, Yahoo
Tuesday, October 06, 2009


The scale of the phishing attack on Hotmail could stretch further than first thought, with accounts on Google and Yahoo now threatened.

Microsoft confirmed on Monday that the popular email site had been the target of a scam which tricked users into revealing their passwords. This led to around 10,000 passwords being posted online.

The computer company said their servers were not responsible for the security breach and that individuals had been conned into handing over their details. But it has been reported that more lists have also been circulated with genuine account information relating to email on Google, Yahoo, Comcast and Earthlink, as well as other third-party web mail services.

Neil O'Neil, an ethical hacker and digital forensics investigator at secure payments specialist The Logic Group, said up to a million passwords could have been accessed.

"Making the breach public so soon after the attack occurred has allowed unethical hackers to access the passwords very easily, even though they were deleted a couple of days ago at the request of Microsoft," he explained.

"People tend to have the same password across many accounts — so there is a good chance that individuals have also compromised the integrity of their ebay or paypal accounts too.

"The list went through A and B, so you would think whoever released these has more. And if you do the maths, they could have more than a million passwords."

Hackers and cybercriminals attempt to trick people into handing over personal details, including email addresses and passwords. Internet users may be directed to false websites, set up to mirror legitimate websites, that feed information back to the criminals.

News of the scam broke when technology blog neowin.net reported an anonymous user had published confidential details on pastebin.com. Internet users are urged to change their passwords regularly and ensure anti-virus software is up to date to protect themselves from fraudsters.
A Microsoft spokesman said: "We are aware that some Windows Live Hotmail customers' credentials were acquired illegally by a phishing scheme and exposed on a website."

They added that they requested the details be removed from the internet and they launched an immediate investigation. The company are also taking measures to block the accounts which were hit.

A spokesman for Google said they were aware that some gmail accounts had been part of the phishing scam and said — while their servers were not responsible — they had taken steps to ensure security.

And a spokesman for Yahoo said they take great effort to protect their users' security and that they urge consumers to take measures to secure their accounts whenever possible, including changing their passwords.