Update - there are now 20,000 accounts affected and non-Hotmail addresses.Neowin has received information regarding a possible Windows Live Hotmail "hack" or phishing scheme where password details of thousands of Hotmail accounts have been posted online.
An anonymous user posted details of the accounts on October 1 at pastebin.com, a site commonly used by developers to share code snippets. The details have since been removed but Neowin has seen part of the list posted and can confirm the accounts are genuine and most appear to be based in Europe. The list details over 10,000 accounts starting from A through to B, suggesting there could be additional lists. Currently it appears only accounts used to access Microsoft's Windows Live Hotmail have been posted, this includes @hotmail.com, @msn.com and @live.com accounts.
Neowin has reported this immediately to Microsoft's Security Response Center and to Microsoft's PR teams in the UK and US and we are currently awaiting feedback on the situation. As this is a breaking story please check back frequently as the story will be updated as soon as more information becomes available.
If you are a Windows Live Hotmail user Neowin recommends that you change your password and security question immediately.
Thanks to Chris for the news tip
Update: According to BBC News, Microsoft is currently "investigating the situation and will take appropriate steps as rapidly as possible."
Update 2: Microsoft has now fully confirmed our reports. According to a Microsoft spokesperson "over the weekend Microsoft learned that several thousand Windows Live Hotmail customer's credentials were exposed on a third-party site due to a likely phishing scheme. Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers. As part of that investigation, we determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts."
If you are concerned about Phishing scams, please read our anatomy of a Phishing scam to better protect yourself in future.
story makes it to BBC news: http://news.bbc.co.uk/1/hi/technology/8291268.stm !
You mean the same link posted in the article
Same here.
Glad I don't use it either if they have that pitiful security there.
Except it's not Hotmail's security at fault here.
phishing is not a site security breach. it's an end user brain security breach. it's just stupid people opening spam mails to right and left, clicking on every link and entering their passwords on faked pages without checking the address.
Bingo.
Twice now in the last month or so, I've had to explain to some of my acquaintances that a site that asks you for your Messenger credentials in order to have it show you who's got you marked as blocked is nothing but a login harvester.
this
@hotmail , @msn and @live
from the article 6th line
The list starts at Ar and ends Bl. This isn't to say that there isn't more though :/
I changed mine just in case, I honestly believed they were fake accounts though.
A lot of them don't look real and a lot of them have missing details.
This is NOT just live accounts there are accounts on the list that have domain names other than microsoft domains.
I don't understand how people can be stupid enough to give their live details away to phishing scams :/
I don't understand how people can be stupid enough to give their live details away to phishing scams :/
I do! If you read the newspaper as much as I do, you would too!
I believe this because I don't think that a high profile site like Hotmail with so much login and private information would store passwords in clear text (even if they had a nightmare implementation switching from BSD/Sun to Windows) when even the most basic websites do not do that. It does however leave open the possibility that the passwords could have been intercepted or the code tampered with, but I find this to be unlikely.
Myspace does store your password in clear text, or at least in a way it can be un-encrypted again. I'm not saying Myspace is a high profile site, but it's a top 10 one...
I'm with you on your idea of another service being breached. I'm sure a lot of people use the same password multiple times online.
You can have whichever email address you want to use as a microsoft passport. But hopefully you're clever enough to not use the same password as in the actual email account.
You an have a LIVE ID for MSN messenger etc using a gmail account. What im asking is, are accounts with only hotmail comprimised, or the actual Live ID's
ahhhh, well if anyone here falls for that then...
Lol. Sorry for you.
1. Are these Windows Live ID passwords?
2. Can they be leaked, if Live Mail service is not used?
Thanks
I did.
My bank got accessed by one of those (stole login info). I only do banking on my freebsd box now; im also very careful and had a virus scanner installed on my windows box at the time.
For all we know he logged into hotmail on a friends laptop or a public terminal and the login details were stolen then.
It really is amazing how much information is floating around out there, due to insecure sites or stupidity.
i just want to check to make sure i aint on there but i doubt i am.
they said your account has to start with A or B right? ... if that's true i should not be on there since my hotmail account starts with f
just goto pastebin.ca and search for 'hotmail' in the GO box in top right of the website. (i aint sure if the post lists the entire 10000 but it does seem to show quite a few)
Thank god Neowin exists!
Recently read a report from McAfee research on how the password stealing business is on the rise and techniques used by these people are getting better and more clever. http://blogs.technet.com/ms_schweiz_securi...tity-theft.aspx
The masses won't ever changer their passwords on a regular basis, even I don't, but IMO internet security and keeping your private information secure should be a subject in schools these days.
Funny thing: Both of my Live account are practically never used or given out and haven't been checked for the same amount of time. The first one had 0 emails, the other one had close to 300 junk mails waiting
There is nothing new going on that happened on the 1st of October.
(snipped)
Last edited by GreyWolfSC on 05 Oct 2009 - 13:42
Conficker alone is at 10,000,000 confirmed infections and I would bet a fair few of those are teenagers with MSN. It could of come from just about anywhere, though.
10,000 suggests phising.
He means web messengers not MSN completely. i.e. one of the many hundreds of unofficial MSN-in-a-browser websites that popup and disappear every month.
To those who question why someone would mention "Gmail", my primary Windows Live / Passport / Xbox Live account is a GMAIL.COM address.
So if this was some breach at Microsoft that allowed someone to steal passwords, then that would mean someone's Gmail account could be at risk if they use the same passwords on both services.
People:
- Pay attention to what site you are logging into.
- Pay attention to what runs on your computer. Keep your software up to date.
- Pay attention to your protection. If you're using XP, that means having malware scanners, virus scanners, a second malware scanner, etc. If you're using Vista/Win7, keep UAC on.
- If you "don't know computers", then have someone check out your system that does "know computers".
According to BBC News, this site is called "newowin.net".
And also
facepalm.gif
BTW.....If your email was on the list, did you enter the Windows 7 Party giveaway?
I suppose they don't want dead links all over the place if the articles are moved.
Can't we at least see a list of the e-mails that have been breached?
but we'll see whats up soon
people are ask to provided their username and pass and then the site post a message to all your contacts on your list.
The blog suggested the accounts had been hacked or had been collected as part of a phishing scheme.
http://news.bbc.co.uk/1/hi/technology/8291268.stm
(d'oh, I see it was already mentioned above ... at least they've fixed the spelling now, except Neowin should be capitalised. /wave @ BBC writer)
Yup
PS. Got Digg? Scroll up and hit that yellow button
Last edited by Adaytay on 05 Oct 2009 - 16:27
If it was phished then it's hardly MS fault.
If your a retard and too stupid to look at the address bar of the website your on, then you deserve things like this.
Also it could easily happen to gmail users...
This has all the hallmarks of a hoax by people who get satisfaction from the attention and concern that their efforts attract. If this is a hoax, it's succeeding thanks to some of the hysterical coverage that followed this blog post.
They most likely have kept a copy of the entire lot, not just this 10,000. The pastebin was most likely a message to "the people" that they've got them now.
"Consider how dumb the average person is - half of humanity is even more stupid than that" !
Same!
Social compliance - you think someone has blocked you from MSN, oh, look, here's a link to how you can find out who else has blocked you. Except it's purely there to harvest username/password info.
Reminder for everyone - don't ever click a link in an email, chances are it'll be there to get you.
Bingo...
are the account holder's name published as well as their account password?
Changed my password just in case!
http://www.dailymail.co.uk/news/article-12...ted-online.html
It's the Daily Mail. Nuff said.
It's the Daily Mail. Considering they didn't mention it was homosexual, terrorist, Asian immigrants that stole the data it's quite a constrained article.
Will all of these accounts have been hacked yet - i.e. could he still be able to log in even IF it's still on the list?
If you change it often, there is nothing to worry about.
While that may be true, if you're relying on a free service to provide security on your "important" e-mails, perhaps you should look into a paid service.
If people are using Hotmail and other free services to manage bank accounts, or other important matters you're just asking for problems.
Perhaps, but 12 characters is already pretty damn difficult to crack.
If people are using Hotmail and other free services to manage bank accounts, or other important matters you're just asking for problems.
For that I rely on my ISP account, and Thunderbird downloading the messages to my PC and deleting them from my web inbox.
14 not 12.
Im wondering if Im affected...
this is most likely
The list of emails stolen was somewhere in the A's to BL I believe.. it was in alphabetical order.
nice to know mine is further down the list
I remember recieving a link from a friend to a site which claimed that you could find out who has blocked your hotmail/live account simply by entering your email account and password details. It was somethng like 'oh-you-blocked-me.com' I never provide my login credentials to any site other than hotmail and suspected at the time that my friend who forwarded the link had been hacked.
I am very suprised that so many people would however willingly provide their logon details to an anonymous website. I fear that social websites have given users a false sense of security with their apps. It is a shame but it seems to me that this was no breach of Microsofts security but maybe there is a need to better educate their users. It seems obvious to me not to give out your details to just anyone but then I have been in computer support for many years and the first rule of account security is DO NO GIVE ANYONE YOUR PASSWORD.
Good luck everyone and stay safe :-)
Where is the rest of it??? Waiting for midnight?
http://www.cbc.ca/consumer/story/2009/10/0...ail-breach.html
I've often wondered if phishers yell, "phish on," like fishermen do when they snag a live one.
The accounts are obviously phished accounts that are on the list. Some of the accounts on the list are not correct.
For instance:
aroncf@hotamil.com:password (Incorrect Domain)
ararat973@hoymail.com:password (Incorrect Domain)
aroru83:password (No domain name at all)
arq_rdg37:password (Again, no domain)
If these were taken from Microsoft surely they would all be correct
So those of us who haven't been silly enough to be trapped by these should be okay
coming next crashing those lame Windows 7 parties ! pinning a lot of tales of the donkeys....
(snipped)
Last edited by GreyWolfSC on 05 Oct 2009 - 23:37
as well as pastebin.ca
LOL
I deserved that one.
funny...
http://cardigantech.blogspot.com/2009/10/h...-addresses.html
Still it's not exactly a harmless point to make!
Some people are still speculating that it's a leak:
http://lifehacker.com/5374745/10000-hotmai...s-leaked-online
BTW: my msn starts with a M.
It is from msn-block.com, NOT by exploiting Microsoft
Here is a comment from the original source which reported this scam(which was written on October 2nd): http://blog.nirsoft.net/2009/08/29/msn-blo...al/#comment-597
I saw that list btw, and I think that Microsoft must find a way to help those hacked people, they MUST find a way
If you think you got hacked too, you can verify by googling your email, in the format email:pass and you will see if you are in the list (this list is really spread now almost everywhere)
Last edited by kInG aLeXo on 06 Oct 2009 - 05:25
Thanks in advance for your hONEST answers
http://thenextweb.com/2009/10/05/guess-cod...passwords-year/
Bank details are also being stolen in coordinated phishing attacks! Shock horror!
But anti-Microsoft stories are much more fashionable. It must be so cool to jump on the bandwagon.
PS why is the list still up on pastebin??????????
and havent used live messenger in for years its not installed on my pc
but my account remains intact. i doubt this has some thing to do with a security problem at hotmail. many people fall for phishing scams you just have to have your wits about you when you use the web these days.
its always easy to blame Ms with stories like this, when infact it just comes down to the n00b at the keyboard.
You can find a good analysis on the second accounts list (24k accounts) here: http://stormsecurity.wordpress.com/2009/10...s-been-exposed/
You can also download the usernames list and the passwords list.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.