An anonymous user posted details of the accounts on October 1 at pastebin.com, a site commonly used by developers to share code snippets. The details have since been removed but Neowin has seen part of the list posted and can confirm the accounts are genuine and most appear to be based in Europe. The list details over 10,000 accounts starting from A through to B, suggesting there could be additional lists. Currently it appears only accounts used to access Microsoft's Windows Live Hotmail have been posted, this includes @hotmail.com, @msn.com and @live.com accounts.
Neowin has reported this immediately to Microsoft's Security Response Center and to Microsoft's PR teams in the UK and US and we are currently awaiting feedback on the situation. As this is a breaking story please check back frequently as the story will be updated as soon as more information becomes available.
If you are a Windows Live Hotmail user Neowin recommends that you change your password and security question immediately.
Thanks to Chris for the news tip
Update: According to BBC News, Microsoft is currently "investigating the situation and will take appropriate steps as rapidly as possible."
Update 2: Microsoft has now fully confirmed our reports. According to a Microsoft spokesperson "over the weekend Microsoft learned that several thousand Windows Live Hotmail customer's credentials were exposed on a third-party site due to a likely phishing scheme. Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers. As part of that investigation, we determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts."
For all media inquiries please contact tom.warren@neowin.net
story makes it to BBC news: http://news.bbc.co.uk/1/hi/technology/8291268.stm !
You mean the same link posted in the article
Same here.
Glad I don't use it either if they have that pitiful security there.
phishing is not a site security breach. it's an end user brain security breach. it's just stupid people opening spam mails to right and left, clicking on every link and entering their passwords on faked pages without checking the address.
Bingo.
Twice now in the last month or so, I've had to explain to some of my acquaintances that a site that asks you for your Messenger credentials in order to have it show you who's got you marked as blocked is nothing but a login harvester.
@hotmail , @msn and @live
from the article 6th line
The list starts at Ar and ends Bl. This isn't to say that there isn't more though :/
I changed mine just in case, I honestly believed they were fake accounts though.
A lot of them don't look real and a lot of them have missing details.
This is NOT just live accounts there are accounts on the list that have domain names other than microsoft domains.
I don't understand how people can be stupid enough to give their live details away to phishing scams :/
I don't understand how people can be stupid enough to give their live details away to phishing scams :/
I do! If you read the newspaper as much as I do, you would too!
I believe this because I don't think that a high profile site like Hotmail with so much login and private information would store passwords in clear text (even if they had a nightmare implementation switching from BSD/Sun to Windows) when even the most basic websites do not do that. It does however leave open the possibility that the passwords could have been intercepted or the code tampered with, but I find this to be unlikely.
Myspace does store your password in clear text, or at least in a way it can be un-encrypted again. I'm not saying Myspace is a high profile site, but it's a top 10 one...
I'm with you on your idea of another service being breached. I'm sure a lot of people use the same password multiple times online.
You can have whichever email address you want to use as a microsoft passport. But hopefully you're clever enough to not use the same password as in the actual email account.
You an have a LIVE ID for MSN messenger etc using a gmail account. What im asking is, are accounts with only hotmail comprimised, or the actual Live ID's
ahhhh, well if anyone here falls for that then...
Lol. Sorry for you.
1. Are these Windows Live ID passwords?
2. Can they be leaked, if Live Mail service is not used?
Thanks
I did.
My bank got accessed by one of those (stole login info). I only do banking on my freebsd box now; im also very careful and had a virus scanner installed on my windows box at the time.
For all we know he logged into hotmail on a friends laptop or a public terminal and the login details were stolen then.
It really is amazing how much information is floating around out there, due to insecure sites or stupidity.
Thank god Neowin exists!
Recently read a report from McAfee research on how the password stealing business is on the rise and techniques used by these people are getting better and more clever. http://blogs.technet.com/ms_schweiz_securi...tity-theft.aspx
The masses won't ever changer their passwords on a regular basis, even I don't, but IMO internet security and keeping your private information secure should be a subject in schools these days.
Funny thing: Both of my Live account are practically never used or given out and haven't been checked for the same amount of time. The first one had 0 emails, the other one had close to 300 junk mails waiting
There is nothing new going on that happened on the 1st of October.
(snipped)
Last edited by GreyWolfSC on 05 Oct 2009 - 13:42
Conficker alone is at 10,000,000 confirmed infections and I would bet a fair few of those are teenagers with MSN. It could of come from just about anywhere, though.
10,000 suggests phising.
He means web messengers not MSN completely. i.e. one of the many hundreds of unofficial MSN-in-a-browser websites that popup and disappear every month.
To those who question why someone would mention "Gmail", my primary Windows Live / Passport / Xbox Live account is a GMAIL.COM address.
So if this was some breach at Microsoft that allowed someone to steal passwords, then that would mean someone's Gmail account could be at risk if they use the same passwords on both services.
People:
- Pay attention to what site you are logging into.
- Pay attention to what runs on your computer. Keep your software up to date.
- Pay attention to your protection. If you're using XP, that means having malware scanners, virus scanners, a second malware scanner, etc. If you're using Vista/Win7, keep UAC on.
- If you "don't know computers", then have someone check out your system that does "know computers".
According to BBC News, this site is called "newowin.net".
And also
facepalm.gif
BTW.....If your email was on the list, did you enter the Windows 7 Party giveaway?
I suppose they don't want dead links all over the place if the articles are moved.
Can't we at least see a list of the e-mails that have been breached?
but we'll see whats up soon
people are ask to provided their username and pass and then the site post a message to all your contacts on your list.
The blog suggested the accounts had been hacked or had been collected as part of a phishing scheme.
http://news.bbc.co.uk/1/hi/technology/8291268.stm
(d'oh, I see it was already mentioned above ... at least they've fixed the spelling now, except Neowin should be capitalised. /wave @ BBC writer)
Yup
PS. Got Digg? Scroll up and hit that yellow button
Last edited by Adaytay on 05 Oct 2009 - 16:27
If it was phished then it's hardly MS fault.
If your a retard and too stupid to look at the address bar of the website your on, then you deserve things like this.
Also it could easily happen to gmail users...
This has all the hallmarks of a hoax by people who get satisfaction from the attention and concern that their efforts attract. If this is a hoax, it's succeeding thanks to some of the hysterical coverage that followed this blog post.
They most likely have kept a copy of the entire lot, not just this 10,000. The pastebin was most likely a message to "the people" that they've got them now.
"Consider how dumb the average person is - half of humanity is even more stupid than that" !
Same!
Social compliance - you think someone has blocked you from MSN, oh, look, here's a link to how you can find out who else has blocked you. Except it's purely there to harvest username/password info.
Reminder for everyone - don't ever click a link in an email, chances are it'll be there to get you.
Bingo...
are the account holder's name published as well as their account password?
Changed my password just in case!
http://www.dailymail.co.uk/news/article-12...ted-online.html
It's the Daily Mail. Nuff said.
Will all of these accounts have been hacked yet - i.e. could he still be able to log in even IF it's still on the list?
If you change it often, there is nothing to worry about.
While that may be true, if you're relying on a free service to provide security on your "important" e-mails, perhaps you should look into a paid service.
If people are using Hotmail and other free services to manage bank accounts, or other important matters you're just asking for problems.
Perhaps, but 12 characters is already pretty damn difficult to crack.
If people are using Hotmail and other free services to manage bank accounts, or other important matters you're just asking for problems.
For that I rely on my ISP account, and Thunderbird downloading the messages to my PC and deleting them from my web inbox.
Im wondering if Im affected...
this is most likely
The list of emails stolen was somewhere in the A's to BL I believe.. it was in alphabetical order.
nice to know mine is further down the list
Where is the rest of it??? Waiting for midnight?
http://www.cbc.ca/consumer/story/2009/10/0...ail-breach.html
I've often wondered if phishers yell, "phish on," like fishermen do when they snag a live one.
The accounts are obviously phished accounts that are on the list. Some of the accounts on the list are not correct.
For instance:
aroncf@hotamil.com:password (Incorrect Domain)
ararat973@hoymail.com:password (Incorrect Domain)
aroru83:password (No domain name at all)
arq_rdg37:password (Again, no domain)
If these were taken from Microsoft surely they would all be correct
So those of us who haven't been silly enough to be trapped by these should be okay
coming next crashing those lame Windows 7 parties ! pinning a lot of tales of the donkeys....
(snipped)
Last edited by GreyWolfSC on 05 Oct 2009 - 23:37
as well as pastebin.ca
LOL
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.