Thousands of Hotmail passwords leaked online (Tom Warren)

Neowin has received information regarding a possible Windows Live Hotmail "hack" or phishing scheme where password details of thousands of Hotmail accounts have been posted online.

An anonymous user posted details of the accounts on October 1 at pastebin.com, a site commonly used by developers to share code snippets. The details have since been removed but Neowin has seen part of the list posted and can confirm the accounts are genuine and most appear to be based in Europe. The list details over 10,000 accounts starting from A through to B, suggesting there could be additional lists. Currently it appears only accounts used to access Microsoft's Windows Live Hotmail have been posted, this includes @hotmail.com, @msn.com and @live.com accounts.

Neowin has reported this immediately to Microsoft's Security Response Center and to Microsoft's PR teams in the UK and US and we are currently awaiting feedback on the situation. As this is a breaking story please check back frequently as the story will be updated as soon as more information becomes available.

If you are a Windows Live Hotmail user Neowin recommends that you change your password and security question immediately.


Update: According to BBC News (*), Microsoft is currently "investigating the situation and will take appropriate steps as rapidly as possible."

Update 2: Microsoft has now fully confirmed our reports. According to a Microsoft spokesperson "over the weekend Microsoft learned that several thousand Windows Live Hotmail customer's credentials were exposed on a third-party site due to a likely phishing scheme. Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers. As part of that investigation, we determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts."

Source: http://www.neowin.net/news/main/09/10/05/thousands-of-hotmail-passwords-leaked-online

gmail :]

Pwned

Get own domain etc.

Get own domain etc.
This is what I did years ago. IMAP, secure protocols, unlimited space, local-part tagging, damn good spam filter, etc.

Gmail, Hotmail, or Imap -- it doesn't matter. This is a Phishing scheme... a social engineering scheme.

The owners of these accounts unwittingly gave up their credentials to a third party.

All of Microsoft or Google's best security will not help you if you tell the hacker your password.

What Phopo said ^

This really has nothing to do with Microsoft or Hotmail. Of course, everyone's going to freak out about it.

Gmail, Hotmail, or Imap -- it doesn't matter. This is a Phishing scheme... a social engineering scheme.
You can't socially engineer my password off of my own service. Why the hell would I give the password to anyone? I own the entire system. Social engineering only works when it's even remotely feasible for the other end to be a legitimate party that needs your password. If I run my own mail service, there is no one in the world other than myself that would ever need my password. As much as Gmail or Hotmail may say "we'll never ask for your password", they're still there and they're not you, so it's still possible that they would ask you for your password, in some other universe.

(And IMAP is a protocol used by every major mail service that doesn't suck)

Oh, and for the record, you can't hit me with a man in the middle attack either because I use SSH connections and heavy SSL encryption to get to my server. I'm damn fucking sure what's on the other side is mine because there are three steps in the process that will totally error out and yell at me if it isn't.

You can't socially engineer my password off of my own service. Why the hell would I give the password to anyone? I own the entire system. Social engineering only works when it's even remotely feasible for the other end to be a legitimate party that needs your password. If I run my own mail service, there is no one in the world other than myself that would ever need my password. As much as Gmail or Hotmail may say "we'll never ask for your password", they're still there and they're not you, so it's still possible that they would ask you for your password, in some other universe.

(And IMAP is a protocol used by every major mail service that doesn't suck)

Oh, and for the record, you can't hit me with a man in the middle attack either because I use SSH connections and heavy SSL encryption to get to my server. I'm damn fucking sure what's on the other side is mine because there are three steps in the process that will totally error out and yell at me if it isn't.And if you get a trojan installed?

And if you get a trojan installed?
With the levels of security I'm using? I run Linux, do regular virus scans, and follow appropriate browsing measures. Not to mention, all of my passwords are stored in encrypted forms and access to memory in a different process is blocked. Unless your trojan has access to the encryption keys my build of Shredder is using, and you somehow managed to get it on my machine, you're not going to get my passwords. Also, by bringing trojans and viruses into this, you've moved away from phishing attacks.

With the levels of security I'm using? I run Linux, do regular virus scans, and follow appropriate browsing measures. Not to mention, all of my passwords are stored in encrypted forms and access to memory in a different process is blocked. Unless your trojan has access to the encryption keys my build of Shredder is using, and you somehow managed to get it on my machine, you're not going to get my passwords. Also, by bringing trojans and viruses into this, you've moved away from phishing attacks.Actually Trojans are social engineering devices... tricking you to doing something bad.

Actually Trojans are social engineering devices... tricking you to doing something bad.
Then by your definition of a trojan, I will never get one. You seem to be arguing just to argue; I'm trying to explain why running my own services protects me from social engineering attacks. You're either completely missing the point or you really want to turn this into a flamefest.

Shit, I'm European :O

Also for people saying boo hotmail, XBL accounts perhaps?

Also bacon, you cannot 100% protect yourself, what happens if some one creeps up on you and watches you type it in :O

oh my god everyone stop arguing!

Oh wow, according to Hotmail, a 14 character long password is 'Weak'.

no no no quiet you

Well if it's all lower case dictionary -- then yes it is weak.

Shit, I'm European :O

Also for people saying boo hotmail, XBL accounts perhaps?

Also bacon, you cannot 100% protect yourself, what happens if some one creeps up on you and watches you type it in :O
While I won't disagree with the 100% protection thing (there's no such thing as 100% protection - if there is any way in there is a way to break in), but I can combat your example case: with the authentication systems I use, you'd also have to physically steal a piece of my hardware to get on with my password. One of the perks of passphrase-protected key authentication. Makes webmail kinda pointless, but hey, it's a damn good security method.

Also, yeah, number of characters is not nearly as important as variety of character types. Constricting yourself to lowercase letters compared to case-sensitive alphanumerics... then add symbolics. Each additional type of character exponentially increases the total number of possibilities.

TIME TO INSTALL SOME 64BIT PASSWORDS

Apparently Gmail and Yahoo accounts were also affected. Is there a list anywhere so I can see if mine is leaked?

Well if it's all lower case dictionary -- then yes it is weak.
It was a combination of upper and lower and had symbols in it...