Hotmail passwords leaked online
The email accounts of thousands of users of Microsoft's Hotmail email service have been compromised after passwords and account addresses were posted on the internet.
By Claudine Beaumont , Technology Editor
5:33PM BST 05 Oct 2009
The login details of more than 10,000 accounts briefly appeared on a web-site used by computer programers.
The list included only addresses starting with A and B, raising fears that more could appear online in the coming days, potentially exposing tens of thousands more Hotmail users.
According to technology website Neowin.net, an anonymous user posted details of around 10,000 Microsoft Hotmail, Windows Live and MSN accounts on Pastebin.com, an online forum used by developers to share snippets of programming code. Neowin said the details appeared legitimate, and that most of the accounts exposed by the leak belonged to European web users.
The source of the leak remains unknown, but it seems likely that the details were collected as the result of "phishing" scams, which use fake websites to trick people in to revealing personal details, such as account login information, believing they are on a legitimate site.
Microsoft said that it had been made aware of the problem.
"We're actively investigating the situation and will take appropriate steps as rapidly as possible," said Microsoft in a statement. "Microsoft is committed to protecting the privacy of our customers, and believe they deserve to have their personal data used only in ways they have agreed to, and in ways that provide value to them."
Users of Hotmail, Windows Live and MSN email accounts are advised to change their passwords and security questions immediately, in order to block unauthorised access to accounts. There are fears that hackers or cybercriminals could use these email accounts to gain access to sensitive or personal information, or to log on to online bank accounts and shopping websites to make fraudulent transactions. Many internet users use the same password details for multiple accounts.
"It's unclear at this stage whether the cause of the leak is phishing attacks or some kind of attack on Microsoft's servers," said Carole Theriault, a senior security consultant with Sophos. "These things do happen, and people shouldn't panic, but we recommend taking some practical steps. If they have a Hotmail, MSN or Live email addres, they should change their account password and security question."
Hotmail is the largest web-based email service in the world, boasting an estimated 500 million users, with 14 million in the UK alone. The password leak comes at the start of a busy month for Microsoft, with the company launching its new computer operating system, Windows 7, on October 22. It also recently unveiled Microsoft Security Essentials, a suite of security software designed to help protect internet users against malicious software, trojans and viruses.
Lukas Oberhuber, chief technical officer at Forward Internet Group, said the leak looked like the result of a phishing attack. "Those sorts of attacks are almost impossible to defend against," he said. "They are becoming increasingly sophisticated.
"It's hard to say at this stage what the motivation was for posting the list online. Was the person responsible simply trying to prove that it could be done?"
Mr Oberhuber said that one indication that an account had been compromised might be if the user receives a number of emails saying that they had requested other account password reminders.
"Hotmail is not the first web email service to be hacked in this manner, and it won't be the last," he said.
A report earlier this year from Lucid Intelligence estimated that the identities of around four million Britons had been stolen and made available online to the highest bidder, while ast week, users of Twitter, the microblogging site, were targeted in a phishing scam. Clicking on a link received in a direct message re-directed unsuspecting Twitter users to a fake webpage that prompted them to enter their username and password details, and then harvested that information to hack accounts.
And the Yahoo! email account of Sarah Palin, the former US vice-presidential candidate, was famously hacked last year by an internet user who guessed the then Alaskan governor's password using readily available biographical information found online.