Show

Thousands of Hotmail passwords leaked online

Tom Warren
05 October 2009 - 11:45
201 Comments
Liked this (27)

Update - there are now 20,000 accounts affected and non-Hotmail addresses.

Neowin has received information regarding a possible Windows Live Hotmail "hack" or phishing scheme where password details of thousands of Hotmail accounts have been posted online.

An anonymous user posted details of the accounts on October 1 at pastebin.com, a site commonly used by developers to share code snippets. The details have since been removed but Neowin has seen part of the list posted and can confirm the accounts are genuine and most appear to be based in Europe. The list details over 10,000 accounts starting from A through to B, suggesting there could be additional lists. Currently it appears only accounts used to access Microsoft's Windows Live Hotmail have been posted, this includes @hotmail.com, @msn.com and @live.com accounts.

Neowin has reported this immediately to Microsoft's Security Response Center and to Microsoft's PR teams in the UK and US and we are currently awaiting feedback on the situation. As this is a breaking story please check back frequently as the story will be updated as soon as more information becomes available.

If you are a Windows Live Hotmail user Neowin recommends that you change your password and security question immediately.

Thanks to Chris for the news tip

Update: According to BBC News, Microsoft is currently "investigating the situation and will take appropriate steps as rapidly as possible."

Update 2: Microsoft has now fully confirmed our reports. According to a Microsoft spokesperson "over the weekend Microsoft learned that several thousand Windows Live Hotmail customer's credentials were exposed on a third-party site due to a likely phishing scheme. Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers. As part of that investigation, we determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts."

If you are concerned about Phishing scams, please read our anatomy of a Phishing scam to better protect yourself in future.

Comments (201)

  1. munki - 05 October 2009 - 11:50

    Wow, changing password now.

  2. Nick Brunt - 05 October 2009 - 17:05

    Same :O

  3. Andrew Lyle - 05 October 2009 - 18:15

    Only if your email begins with A or B. The other lists are not available, but could possibly be out there. Perhaps it is best to change your password regardless if your email is on the list or not.

  4. Nick Brunt - 05 October 2009 - 18:18

    Just because the other lists havn't been published to the world doesn't mean they can't still be used by the person who does have them.

  5. Milan - - 05 October 2009 - 18:29

    DaMiEn said,
    Wow, changing password now. :/

    story makes it to BBC news: http://news.bbc.co.uk/1/hi/technology/8291268.stm !

  6. Andrew Lyle - 05 October 2009 - 19:00

    Milan - said,
    story makes it to BBC news: http://news.bbc.co.uk/1/hi/technology/8291268.stm !

    You mean the same link posted in the article :P

  7. bob21 - 05 October 2009 - 21:03

    Was on RTE too (Not the website the headlines) , Must be a slow news day.

  8. +lcg - 05 October 2009 - 21:14

    DaMiEn said,
    Wow, changing password now. :/

    Same here.

  9. tunafish - 05 October 2009 - 11:51

    Lucky i dont use hotmail.

  10. cybertimber2008 - 05 October 2009 - 11:53

    Hotmail or not, this may affect all Passport accounts. XBL, Zune, Hotmail, WLM, Connect Login. They are all the same login.

  11. Lord Ba'al - 05 October 2009 - 23:17

    tunafish said,
    Lucky i dont use hotmail.

    Glad I don't use it either if they have that pitiful security there.

  12. rm20010 - 06 October 2009 - 17:48

    Lord Ba'al said,
    Glad I don't use it either if they have that pitiful security there.


    Except it's not Hotmail's security at fault here.

  13. DomZ - 05 October 2009 - 11:52

    Wow. Sounds like a massive security breach. I found my sister was using a hotmail account even though I set up a gmail account when she first got the internet.

  14. coth - 05 October 2009 - 13:52

    DomZ said,
    Wow. Sounds like a massive security breach. I found my sister was using a hotmail account even though I set up a gmail account when she first got the internet.

    phishing is not a site security breach. it's an end user brain security breach. it's just stupid people opening spam mails to right and left, clicking on every link and entering their passwords on faked pages without checking the address.

  15. _dandy_ - 05 October 2009 - 16:54

    coth said,
    phishing is not a site security breach. it's an end user brain security breach. it's just stupid people opening spam mails to right and left, clicking on every link and entering their passwords on faked pages without checking the address.


    Bingo.

    Twice now in the last month or so, I've had to explain to some of my acquaintances that a site that asks you for your Messenger credentials in order to have it show you who's got you marked as blocked is nothing but a login harvester.

  16. tablet_user - 06 October 2009 - 15:40

    coth said,
    phishing is not a site security breach. it's an end user brain security breach. it's just stupid people opening spam mails to right and left, clicking on every link and entering their passwords on faked pages without checking the address.


    this

  17. Twisted Chaz - 05 October 2009 - 11:54

    changing indeed, better to be safe than sorry.

  18. +MentalDisturb. - 05 October 2009 - 11:56

    I guess encrypted passwords were leaked?

  19. Majesticmerc - 05 October 2009 - 12:22

    It was a phishing scam, so if the users were redirected to a "hotmail" page that asked for their password, they'd be able to grab the whole thing.

  20. prabir - 05 October 2009 - 11:56

    is it just @hotmail.com or any windows live account passwords?

Please Log In or Register to post a comment.