Hotmail passwords leaked online

Update October 6 at 11:25 a.m.: This was later discovered to be an industrywide problem that has affected users of Gmail and possibly other e-mail services as well. See more details here.

Thousands of Windows Live Hotmail passwords have been leaked online, Microsoft has confirmed. The news was first reported by Neowin.

According to Microsoft, it "learned that several thousand Windows Live Hotmail customers' credentials were exposed on a third-party site" at some point over the weekend. Neowin originally reported that the credentials were posted to a developer forum on Pastebin.com on October 1.

After learning of the breach, Microsoft "immediately requested that the credentials be removed and launched an investigation to determine the impact to customers," it wrote on its Windows Live blog.

The company was quick to point out that credentials were stolen through what was "likely a phishing scheme." The company said that it "was not a breach of internal Microsoft data." It's currently "working to help customers regain control of their accounts."

Microsoft did not immediately respond to CNET's request for comment.

Microsoft didn't say exactly how many accounts were affected, but Neowin reported that the original list displayed accounts with names starting with "A" and "B."

Twitter and other social networks are abuzz with people advising others to change their passwords. Microsoft wrote in the blog post that those who believe they were affected by the phishing scheme should immediately do just that.

Updated at 1:30 p.m. PDT to include Microsoft's confirmation of the breach.

[timber2005]

It's sad that 10,000+ people between A and B alone fell for a phishing scheme or keylogger.

Whats worse to imagine is emails beginning in common letters like S, or the concern that if this isn't just hotmail... the number of all email accounts that could be vulerable.

I mean seriousally, if this was someone pulling from a database of all the people who fell for the phishing scheme, they could pull out a list by domain (@hotmail, @live, @live.uk, @msn) using SQL easily.

[cjburton1]

Sad that Microsoft hotmal didn't notify those who were compromised, or did they? Maybe that's why I didn't hear from them.

[bobmarleypeople]

As a person with a username beginning with "B", I'm worried. However, if it's due to phishing sites, then I should be fine (I'm fairly confident that I haven't been on one).

Still...**changes password**

[ddhboy]

Well, time to change my password. I'm not in that effected range, but I've been meaning to change the password for ages. Yeah I know, you should change your password every 2 weeks, but who has the time for that?

[NJ_AHMAD]

Two weeks? That's so frequent. Heck, I'd say even every month still is. There's the problem of remembering the change. I'm using mine for... almost 20 months now. Or do you guys have some system in creating new passwords that can't be guessed by others but easily remembered by yourselves?

[tjmm1234]

I at least try to change mine up once a month...There has to be a way in the future to stop this kind of crap.

[xanthorp]

Don't let stupid people compute?

[filipiak]

Just because the article states that the account information viewed was for accounts in the A-B range, people shouldn't assume they're safe if they fall outside of that range.

[n3td3v]

If this is only 10,000 Hotmail accounts from A to B, then there must be hundreds of thousands more accounts compromised that weren't post to pastebin.

[zeroplane]

Hotmail?

Is that still around? Maaahahaa...

[cdotspace]

That was my reaction too.

[battlemage10000]

I actually forgot I had a hotmail account.

[ClaBR]

@zeroplane: Actually, Hotmail is more used than GMail and Yahoo is #1.

http://www.techcrunch.com/2009/08/14/gmail-nudges-past-aol-email-in-the-us-to-take-no-3-spot/

[TJ Spyke]

Hotmail is great, much better than Gmail or that crappy Yahoo service.

[NJ_AHMAD]

Have to disagree with it being better than Gmail. But Yahoo is total crap, definitely. One of the good things about Gmail is the availability of POP3 and IMAP4.

[ddhboy]

Yeah, that's what I used to think, sent all my excess crap I didn't want to clutter my real e-mail account to my gmail account. Then I switched and made gmail my main e-mail account a year ago, made everything simpler, especially since gmail has IMAP4, so I can read email and sync up on multiple devices, as opposed to hotmail where you have to pay to become a MSN Premium member to get those services.

[zgdk]

Contrary to popular belief GMail does not support IMAP. It is a IMAP/POP3 hybrid that in a lot of important ways functions very differently from the way IMAP is supposed to work.

[nSeika]

So it?s not security breach?
Most headlines sure doesn?t reflect that.

Glad it?s just a phishing scheme though, as well as sad that there?s peoples still falling for something like that.

[hlMG2003]

Two things you can do to protect your self from that: Get a Apple , or do not use hotmail, there was a email going around with a link to that show you who has you blocked on MSN, it will ask for user name and password, the link is below, sombody created a site to collect people user names and passwords
http://gs.gomessenger.net/

[BGXterra]

how does a Mac save you from giving your password away if you are stupid enough to do it? and hotmail is great much better than Gmail and yahoo mail
[CNET editor's note: Offensive language deleted.]

[ClaBR]

@hlMG2003: Read the article. There is nothing wrong with hotmail. It was a phising scam that targeted people who used hotmail.

Update oct 6: Gmail was also hit by the same scam.

[hlMG2003]

If hotmail is great and better than what is out there, how come you keep hearing about problems with it;
http://news.cnet.com/Hotmail-hit-by-new-round-of-problems/2100-1023_3-227776.html

Go do some reading, also if you have a Mac; it will block that site

[ncalishome]

That article is dated June 29, 1999. I'm not in the mood to fact check, but I suspect Gmail suffers from as many problems such as outages as Hotmail these days. S*it happens, try to stay current

And any browser with phishing detection will block that site, not just on Mac

[willbw]

Uhh the range was not just A-B and im sorry to tell you its the truth.

[cerebral_but_dull]

As long as the "experts" on this forum continue to blame "stupid people", the problem will continue to get worse. Some of the very brightest have been caught by phishing schemes that are insightful enough like: "Security expert Dr. Warlton will not be able to make the presentation you have signed up for at the Security Om-line Conference on November 3. In his stead will be Dr. Erica Fluestone of Errant-Free Systems. Click here to download her bio and the abstract and a refund form if you are not satisfied with the substitution". Only 11 out of 11 experts who had signed up for the talk were "stupid" enough to fall for it.
What we need is truly aggressive prosecution, top to bottom, of every phishing and bot activity, instead of helping them by assuring people that only the stupid fall for phishing.

[pjk0]

Actually I would guess that something like 95% of all phishing victims ARE victims of their own stupidity.

I have NEVER seen a specifically-targeted phish like the one "cerebral_but_dull" presented. And while I'm sure some do exist, they are a tiny tiny fraction of the phishes that are out there, and their number of victims has to be tiny as well, compared to "all phishing victims".

There are all sorts of mitigation tactics that are being using to address the issue, but if end-users continue to "click on anything" they get online or in email, if they continue to pass around rumors and chain-letters without any sort of fact-checking, if they continue to operate insecure computers without current patches, without current security tools, etc... then the problem will do nothing but get worse.

Microsoft is finally offering what I hear is a "decent" security tool ("Security Essentials") which is free of charge. Maybe that will have a positive impact due to all the [lazy | ignorant | cheapskates] who refuse to install or keep updated any other A/V or security tool.

[cerebral_but_dull]

It's my understanding that what I described (with name of conference fictionalized), is how one of the government nuclear labs was breached, with 11 scientists installing key loggers.

[pjk0]

Oh - and as long as millions of people continue to use THE SAME PASSWORD EVERYWHERE, these problems will continue to be disasters.

You would think that if during the 20th century people finally learned some basic rules to keep alive (like looking before crossing train tracks, not drinking water out of ditches, etc.) that they would be able to learn in the 21st century certain no-brainers like not using the same password everywhere.

People may just be getting stupider and stupider.

[jayhaase]

What?!? You're not supposed to drink water out of ditch? When did someone make this new rule?

[dmc40]

OMG how funny is that !!! lool. you just cheered me up!! thanks

[sylvestre77]

very good