Thousands of Hotmail passwords leaked online

Update - there are now 20,000 accounts affected and non-Hotmail addresses.

Neowin has received information regarding a possible Windows Live Hotmail "hack" or phishing scheme where password details of thousands of Hotmail accounts have been posted online.

An anonymous user posted details of the accounts on October 1 at pastebin.com, a site commonly used by developers to share code snippets. The details have since been removed but Neowin has seen part of the list posted and can confirm the accounts are genuine and most appear to be based in Europe. The list details over 10,000 accounts starting from A through to B, suggesting there could be additional lists. Currently it appears only accounts used to access Microsoft's Windows Live Hotmail have been posted, this includes @hotmail.com, @msn.com and @live.com accounts.

Neowin has reported this immediately to Microsoft's Security Response Center and to Microsoft's PR teams in the UK and US and we are currently awaiting feedback on the situation. As this is a breaking story please check back frequently as the story will be updated as soon as more information becomes available.

If you are a Windows Live Hotmail user Neowin recommends that you change your password and security question immediately.

Thanks to Chris for the news tip

Update: According to BBC News, Microsoft is currently "investigating the situation and will take appropriate steps as rapidly as possible."

Update 2: Microsoft has now fully confirmed our reports. According to a Microsoft spokesperson "over the weekend Microsoft learned that several thousand Windows Live Hotmail customer's credentials were exposed on a third-party site due to a likely phishing scheme. Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers. As part of that investigation, we determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts."

If you are concerned about Phishing scams, please read our anatomy of a Phishing scam to better protect yourself in future.

Report a problem with article
Previous Story

PlayStation 3 outsells Wii in Japan for the first time

Next Story

More phones get Flash, iPhone users still in the dark

195 Comments

Commenting is disabled on this article.

My hotmail account was hacked 4 weeks ago and resulted in an email being sent to all addresses in my contact list linking to a chinese web site. I do not use any messenger service and only use outlook to access my hotmail so no way i could have been phished. I suspect security breach at Hotmail.

PS why is the list still up on pastebin??????????

no i suspect a security breach in your system, i too access my hotmail via outlook
and havent used live messenger in for years its not installed on my pc

but my account remains intact. i doubt this has some thing to do with a security problem at hotmail. many people fall for phishing scams you just have to have your wits about you when you use the web these days.

its always easy to blame Ms with stories like this, when infact it just comes down to the n00b at the keyboard.

IS IT a crime to check out someone else inbox? Can you be caTched just doing that? What are the cyber laws lol?
Thanks in advance for your hONEST answers

Please MENTION CLEARLY that this thing is not leaked by someone who hacked Microsoft
It is from msn-block.com, NOT by exploiting Microsoft
Here is a comment from the original source which reported this scam(which was written on October 2nd): http://blog.nirsoft.net/2009/08/29/msn-blo...al/#comment-597
I saw that list btw, and I think that Microsoft must find a way to help those hacked people, they MUST find a way
If you think you got hacked too, you can verify by googling your email, in the format email:pass and you will see if you are in the list (this list is really spread now almost everywhere)

Stupid question but my MSN was hacked about a weeks ago. I got it back throught MSN's support. However lately I remarked that Blizzard sent me an email notifying me about a recent password changes. (No email from Blizzard showing my World Of Warcraft account information was in my email account.) A password changes that I didnt make. Any possibility of those information being online without my knowledge? As it was for my msn's password?
BTW: my msn starts with a M.

old news for code exploiters.

coming next crashing those lame Windows 7 parties ! pinning a lot of tales of the donkeys....

stop using "whosblockingme.com", where you actually post your email and password and you won't have any problem. I wonder how many password exist in that website

Not particularly worried about this as i'm pretty sure I haven't had my password nicked but I've been using the same one on hotmail for a few years so was a good time to change it anyway

Nice of us to get a mention on these news sites :)

The accounts are obviously phished accounts that are on the list. Some of the accounts on the list are not correct.

For instance:

aroncf@hotamil.com:password (Incorrect Domain)
ararat973@hoymail.com:password (Incorrect Domain)
aroru83:password (No domain name at all)
arq_rdg37:password (Again, no domain)

If these were taken from Microsoft surely they would all be correct

So those of us who haven't been silly enough to be trapped by these should be okay

*Warning Bad Humor Ahead*

I've often wondered if phishers yell, "phish on," like fishermen do when they snag a live one.

If there were more than just ms login details on the page, how can we get access to it to be sure that our non-ms details aren't on there?

Scratch that, I just found it and I'm not on the list. Google's still caching the data of m3888bb7a - the amount of typos on the list means that it cannot have been stolen from MS servers, it's gotta be phished where a user has to type the data in.

I don't get it, was there a security breach where someone hacked into the Hotmail/Live servers and stole the passwords? Or is this list of people who were tricked/got their passwords phished?

You'd think the rest would be lurking somewhere wouldn't you. Hence MS telling everyone to change their passwords just in case.

Deathray said,
I'd really like to know what page this phishing scam comes from

I remember recieving a link from a friend to a site which claimed that you could find out who has blocked your hotmail/live account simply by entering your email account and password details. It was somethng like 'oh-you-blocked-me.com' I never provide my login credentials to any site other than hotmail and suspected at the time that my friend who forwarded the link had been hacked.
I am very suprised that so many people would however willingly provide their logon details to an anonymous website. I fear that social websites have given users a false sense of security with their apps. It is a shame but it seems to me that this was no breach of Microsofts security but maybe there is a need to better educate their users. It seems obvious to me not to give out your details to just anyone but then I have been in computer support for many years and the first rule of account security is DO NO GIVE ANYONE YOUR PASSWORD.
Good luck everyone and stay safe :-)

rm20010 said,
My only gripe with changing passwords is that Hotmail imposes a ~12 character limit on its passwords.

If you change it often, there is nothing to worry about.

what said,
Well, there is. 20 character passwords are a lot more difficult to crack than 12 character ones...


While that may be true, if you're relying on a free service to provide security on your "important" e-mails, perhaps you should look into a paid service.

If people are using Hotmail and other free services to manage bank accounts, or other important matters you're just asking for problems.

what said,
Well, there is. 20 character passwords are a lot more difficult to crack than 12 character ones...

Perhaps, but 12 characters is already pretty damn difficult to crack.

frypiggy said,
While that may be true, if you're relying on a free service to provide security on your "important" e-mails, perhaps you should look into a paid service.

If people are using Hotmail and other free services to manage bank accounts, or other important matters you're just asking for problems.


For that I rely on my ISP account, and Thunderbird downloading the messages to my PC and deleting them from my web inbox.

rm20010 said,
My only gripe with changing passwords is that Hotmail imposes a ~12 character limit on its passwords.


14 not 12.

Whilst the list is mainly hotmail addresses, there are plenty of gmail, yahoo, aol addresses on there too.

I know someone that has @live.co.uk and has an account beginning with 'bl' - i.e. at the very end of this bunch.

Will all of these accounts have been hacked yet - i.e. could he still be able to log in even IF it's still on the list?

The accounts were not hacked, they were phished. Microsoft has confirmed that there was no breach of internal data. The accounts on this list were actual usernames and passwords and Microsoft will be alerting customers and help them regain control.

artfuldodga said,
'huge blow to Microsoft'? lol how is user stupidity a huge blow to any company, Microsoft can only do so much ;)

It's the Daily Mail. Considering they didn't mention it was homosexual, terrorist, Asian immigrants that stole the data it's quite a constrained article.

Why? Since the list is gone, how are we to know if this is more than a phishing attack? Can anyone post the list of compromised email addresses WITHOUT passwords so we can warn family or friends if they've fallen victim?

Its called "See who has blocked You?" phishing, seen this flying around in the past two weeks. Basically you get an email saying click here to find out who has blocked you on messenger, a page opens up and asks for your email and password to sign in and than duh. I actually managed to stop two of my friends from falling victim of this crap. I never really made a big deal. Might not be the same case, but nevertheless there are enough dumb people that just click on things that they don't even bother reading.

Why is there an assumption that they were leaked? Isn't it more likely that it is a compilation of phished accounts?

'The list details over 10,000 accounts starting from A through to B' .... What does this exactly mean? Are they referring to first names or last names?

Of course you can always check to see if your address is on the list...google does cache things you know. It does seem to be mainly spanish/portugese names imo.

It's easy. MSN is the most used chat service in the EU, that's why it affects more European accounts. There are plenty of those sites out there where you can log on to presumably find out who of your friends blocked you on MSN... All you need to do is to log in with your email/msn and password. Then it comes up with some list of friends, it doesn't tell you anything more than you already know, (the MSN servers are whacky, but do not give the information of who blocks who) and this check-your-friends-site it will kindly ask you if you want to send a message to all of your MSN friends to let them know of this great service, or will do that anyway if you do not uncheck something.

Bingo...

I bet, if the list has been collated by phishing sites, that it's been collected by social compliance phishing - a great example is described in this thread: http://www.neowin.net/forum/index.php?showtopic=830292.

Social compliance - you think someone has blocked you from MSN, oh, look, here's a link to how you can find out who else has blocked you. Except it's purely there to harvest username/password info.

Reminder for everyone - don't ever click a link in an email, chances are it'll be there to get you.

Changed my password as my e-mail would be in that list given where it starts and ends in the alphabet, just in case. I severely doubt I was phished and have no clue if I was even on the list... but better safe than sorry.

I recon this was caused by people not paying attention and being phished, could of happened to any email service. People are blaming Microsoft as its the thing to do... btw I also use gmail.

Even if this is a hoax it's yet another prompt to always use a random password and to change it frequently. If it's not a hoax it's certainly a phishing attack and it's depressing how often those work.

"Consider how dumb the average person is - half of humanity is even more stupid than that" !

This doesn't mean Windows Live Mail (or Hotmail) was hacked. Even if the details published online were genuine, a likely source would be a Phishing type attack, in which users are duped into entering details such as password, bank details, etc, by a fake email. At least one blogs has been quoted as having "confirmed" that the details were valid, but one must wonder how this confirmation was achieved and what the motivation might be of those involved at this level.

This has all the hallmarks of a hoax by people who get satisfaction from the attention and concern that their efforts attract. If this is a hoax, it's succeeding thanks to some of the hysterical coverage that followed this blog post.

You have a point, it is worrying about the motivation of the person who confirmed it. How do you know they didn't make copies of those email or backup the list for future use.

DN2004 said,
You have a point, it is worrying about the motivation of the person who confirmed it. How do you know they didn't make copies of those email or backup the list for future use.

They most likely have kept a copy of the entire lot, not just this 10,000. The pastebin was most likely a message to "the people" that they've got them now.

I changed my password any way, it's been years since I did and it was about time for safety reasons. While I don't think my info was leaked, I have used 3rd party chat clients (aMSN Portable for instance). I know it wasn't phished, that's for damn sure.

The BBC is using Neowin as a source :D

A report on technology blog neowin.net said that the details of "over 10,000" accounts had been posted to a website.
The blog suggested the accounts had been hacked or had been collected as part of a phishing scheme.

http://news.bbc.co.uk/1/hi/technology/8291268.stm

(d'oh, I see it was already mentioned above ... at least they've fixed the spelling now, except Neowin should be capitalised. /wave @ BBC writer)

they probably got all the login and password with the "find out who is blocking you on msn messenger SCAM"

people are ask to provided their username and pass and then the site post a message to all your contacts on your list.

Oh you're ****ing kidding me. That's just great.

Can't we at least see a list of the e-mails that have been breached?

DN2004 said,
BBC News never link to articles just websites homepages.

I suppose they don't want dead links all over the place if the articles are moved.

Update: According to BBC News, Microsoft is currently "investigating the situation and will take appropriate steps as rapidly as possible."

According to BBC News, this site is called "newowin.net".

jmc777 said,
According to BBC News, this site is called "newowin.net".

And also
Tom Warren, a newwin blogger

facepalm.gif

If the accounts are only accounts obtained through phishing, then that makes me feel a LOT better.

To those who question why someone would mention "Gmail", my primary Windows Live / Passport / Xbox Live account is a GMAIL.COM address.
So if this was some breach at Microsoft that allowed someone to steal passwords, then that would mean someone's Gmail account could be at risk if they use the same passwords on both services.

People:
- Pay attention to what site you are logging into.
- Pay attention to what runs on your computer. Keep your software up to date.
- Pay attention to your protection. If you're using XP, that means having malware scanners, virus scanners, a second malware scanner, etc. If you're using Vista/Win7, keep UAC on.
- If you "don't know computers", then have someone check out your system that does "know computers".

Memnochxx said,
Yeah. I'm gonna stop using the internet completely because other people are too stupid to be safe.

He means web messengers not MSN completely. i.e. one of the many hundreds of unofficial MSN-in-a-browser websites that popup and disappear every month.

If (emails and passwords/codes) it was directly taken from Microsoft, then letters starting with 'A' even through to 'Bl' would probably total 5,000,000 at least.

10,000 suggests phising.

With over 1/4 of the worlds PCs estimated to be part of a botnet this isn't really surprising; bigger lists have gone around before and I am sure they will go around again.

Conficker alone is at 10,000,000 confirmed infections and I would bet a fair few of those are teenagers with MSN. It could of come from just about anywhere, though.

I'm 99.9% certain my account won't have been on the list but changed the password anyway. Should of really done it before now mind, had to same password for far too long on it.

Nobody broke into Microsoft's server. It's the results of a phishing scam. Steam, WoW, bank, and many other accounts are stolen the same way. Most likely pastebin is being used to gather the info from keyloggers, etc...

This really isn't news. Every week pastebin and such have large lists of email account passwords.
There is nothing new going on that happened on the 1st of October.
(snipped)

I just want to add that this is not the first time something like this has happened. Pastebin has been used in the past to "share" hundreds of email addresses and their corresponding passwords, especially Windows Live ID ones . I even discovered one of my own live.com addresses there, and I was extremely careful about entering my details on any non-microsoft site. This incident suggests that it is more than just a phishing scam and the possibility of an actual Microsoft site or service being "hacked" is not that low.

Changed mine just in case, it was about time I logged in to them anyway. I doubt I was on the list though, I almost never login to those account let alone I get fooled into some scam site or infected by a keylogger / password stealer.

Funny thing: Both of my Live account are practically never used or given out and haven't been checked for the same amount of time. The first one had 0 emails, the other one had close to 300 junk mails waiting :).

It's still a very good security practice to change passwords at intervals. Sometimes it takes such a big leak to get people to actually do it.

The scary thing is by far most of these leaks never show up in the news. I doubt this is a leak caused by anything Microsft can prevent, but simply the result of phishing sites, key loggers and password stealers, which is happening all the time.

Recently read a report from McAfee research on how the password stealing business is on the rise and techniques used by these people are getting better and more clever. http://blogs.technet.com/ms_schweiz_securi...tity-theft.aspx

The masses won't ever changer their passwords on a regular basis, even I don't, but IMO internet security and keeping your private information secure should be a subject in schools these days.

Nope I have no idea how my email was on that list, Im always very careful when giving out my details, and i have another hotmail account for website signups and the like that is full of spam and newsletters and the like. Weird, very very weird.

where is this list?

i just want to check to make sure i aint on there but i doubt i am.

they said your account has to start with A or B right? ... if that's true i should not be on there since my hotmail account starts with f

nevermind... i found the list of the 10000 stuff on pastebin.ca and mine aint there ;)

just goto pastebin.ca and search for 'hotmail' in the GO box in top right of the website. (i aint sure if the post lists the entire 10000 but it does seem to show quite a few)

Read Anarkii's comments in this article. His address was on that list and he said he is always careful wherever he enters his password.

Calum said,
Read Anarkii's comments in this article. His address was on that list and he said he is always careful wherever he enters his password.



I did.

It really depends how clever the phish exploit is. If it was related to some spyware that intercepts a hotmail login even before its encrypted by the browser then your screwed. I suppose that's not technically phishing, if your box has been near rooted.

My bank got accessed by one of those (stole login info). I only do banking on my freebsd box now; im also very careful and had a virus scanner installed on my windows box at the time.

For all we know he logged into hotmail on a friends laptop or a public terminal and the login details were stolen then.

It really is amazing how much information is floating around out there, due to insecure sites or stupidity.

Thanks for the heads up, my email was posted online in that list, but managed to change my password before anyone else got to it. I owe you one!

Do you use that password only for your hotmail account or also for other accounts? It is possible that an entirely different service was breached, and they just posted all hotmail accounts to make it look like a hotmail-breach. I'm sure there are a lot of people using the same password for all kinds of online stuff, making it look like a hotmail-breach.

For all the security software and warnings out there these days, it looks like there are still a lot of just straight up dumb-asses.

I really doubt that MS stores the real password but the hash of it, so this passwords couldn't come from MS. I think that this could be a the list of u/p from phishing site. So if you are clever enough to distinguish a fake site from the original, you are safe.

Two questions:

1. Are these Windows Live ID passwords?
2. Can they be leaked, if Live Mail service is not used?

Thanks

This is either a list of phished accounts or the result of a keylogger going round. Unless you've entered your email and password on a fake Hotmail/Xbox Live/Zune/etc. page or downloaded a keylogger, you're safe. You can't "hack" into Microsoft and get thousands of logins. I know for a fact that there are loads of Xbox Live phishing websites going around.

Very good point and we're not suggesting it isn't. What's clear here is that 10,000 have been posted and that's a big number. It's possible that there's a huge amount more too.

i'm hoping it's some person trying to send a message out there on how easy it is to do this, and it's not malitious, i hope people are smart enougth to go change there passwords

Unless Microsoft and Google have joined forces recently and I haven't heard about it, Gmail has nothing to do with Microsoft Passport/Live ID.

TCLN Ryster said,
Unless Microsoft and Google have joined forces recently and I haven't heard about it, Gmail has nothing to do with Microsoft Passport/Live ID.
Huh? You can use whatever e-mail you want as your Windows Live login. I use personally use gmail.

Unless he means accounts created using third party email accounts although you wouldn't have hotmail access I don't believe then anyhow.

Neoauld said,
are @gmail.com passports safe?

You can have whichever email address you want to use as a microsoft passport. But hopefully you're clever enough to not use the same password as in the actual email account.

Julius Caro said,
You can have whichever email address you want to use as a microsoft passport. But hopefully you're clever enough to not use the same password as in the actual email account.

You an have a LIVE ID for MSN messenger etc using a gmail account. What im asking is, are accounts with only hotmail comprimised, or the actual Live ID's

cybertimber2008 said,
Unless you got phished like the rest of the accounts AND entered your gmail address..... no.


ahhhh, well if anyone here falls for that then...

Odd. I always thought the hashes (generated from the passwords) are the ones saved. Why would anyone want to keep the password itself in a db?

It was a phishing scam, so if the users were redirected to a "hotmail" page that asked for their password, they'd be able to grab the whole thing.

It's more than just hotmail it's live.com and live.co.uk passwords too. I have seen some of the list, before it was removed.

The list starts at Ar and ends Bl. This isn't to say that there isn't more though :/

I changed mine just in case, I honestly believed they were fake accounts though.

Chris4 said,
They're not fake, they're phished.

A lot of them don't look real and a lot of them have missing details.

This is NOT just live accounts there are accounts on the list that have domain names other than microsoft domains.

I don't understand how people can be stupid enough to give their live details away to phishing scams

Iakobos said,
...

I don't understand how people can be stupid enough to give their live details away to phishing scams :/

I do! If you read the newspaper as much as I do, you would too!

prabir said,
is it just @hotmail.com or any windows live account passwords?

@hotmail , @msn and @live

from the article 6th line

It was a phishing scam, so if the users were redirected to a "hotmail" page that asked for their password, they'd be able to grab the whole thing.

Wow. Sounds like a massive security breach. I found my sister was using a hotmail account even though I set up a gmail account when she first got the internet.

DomZ said,
Wow. Sounds like a massive security breach. I found my sister was using a hotmail account even though I set up a gmail account when she first got the internet.

phishing is not a site security breach. it's an end user brain security breach. it's just stupid people opening spam mails to right and left, clicking on every link and entering their passwords on faked pages without checking the address.

coth said,
phishing is not a site security breach. it's an end user brain security breach. it's just stupid people opening spam mails to right and left, clicking on every link and entering their passwords on faked pages without checking the address.


Bingo.

Twice now in the last month or so, I've had to explain to some of my acquaintances that a site that asks you for your Messenger credentials in order to have it show you who's got you marked as blocked is nothing but a login harvester.

coth said,
phishing is not a site security breach. it's an end user brain security breach. it's just stupid people opening spam mails to right and left, clicking on every link and entering their passwords on faked pages without checking the address.


this

Lord Ba'al said,
Glad I don't use it either if they have that pitiful security there.


Except it's not Hotmail's security at fault here.

Only if your email begins with A or B. The other lists are not available, but could possibly be out there. Perhaps it is best to change your password regardless if your email is on the list or not.

Just because the other lists havn't been published to the world doesn't mean they can't still be used by the person who does have them.