while I punch M$ every time it deserves it, phising points to user stupidity not to some sort of hacking or intrusion.
That could potentially happen to ANY online email provider...just replace the phising screen.
Update (19:55 GMT): added statement from Microsoft at the end.
Thousands, perhaps tens of thousands of Hotmail accounts have been hacked through phishing sites and published online, according to the BBC.
The news is still breaking but according to Neowin, who first reported the story, Microsoft have enacted a rapid-response protocol to limit the damage.
According to Neowin:
“It appears only accounts used to access Microsoft’s Windows Live Hotmail have been posted, this includes @hotmail.com, @msn.com and @live.com accounts.
However, considering the Windows Live ID is a single sign-on solution for all Microsoft and Windows Live services, the implications could be a lot greater than first considered.
While phishing is relatively new in the grand scheme of online malware and threats, it seems the tens of thousands of users have mistaken a genuine login page for a fake one, and are now suffering the consequences.
This poses a question I have considered for some time now. There will no doubt be a number of students who have been a victim in this phishing campaign who have been sending and receiving important emails through the service, instead of their own university dedicated system.
Phishing often relies on the service targeted having a massive user base. In comparison to colleges and universities, Hotmail has a greater number of users worldwide, therefore the benefits reaped would be greater.
As a result, it is not clear whether users of Live@edu were targeted, considering the Windows Live ID sign-in process is identical to that of Hotmail. The potential, however, is very much there,
It is unclear at this time whether this is a “proof of concept” come protest-like attack, as the potential to take advantage of these accounts on a personal scale could be endless. But considering the details were published to the wider web, it seems to me it could be a way of alerting people to the consequences of phishing and/or the security of Hotmail.
With the simplicity of the Windows Live ID sign-in screen, to attempt to create a phishing site from this is surprisingly easy. However with the most recent browsers, a clear green bar or similar will indicate that in fact the sign-in screen is secure.
Nevertheless, it is an interesting story which may well see Microsoft bump up their security to Yahoo! anti-phishing standards.
Microsoft’s statement:
“Over the weekend Microsoft learned that several thousand Windows Live Hotmail customers’ credentials were exposed on a third-party site due to a phishing scheme. As always, upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers.
As part of that investigation, we determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts.”
