Hotmail hacked: Thousands of account details published online

Hotmail hacked: Thousands of account details published online

Summary: Hotmail, which has the largest number of email users on the planet, has been compromised with tens of thousands of passwords being published to the web. Breaking news

SHARE:

Update (19:55 GMT): added statement from Microsoft at the end.

Thousands, perhaps tens of thousands of Hotmail accounts have been hacked through phishing sites and published online, according to the BBC.

The news is still breaking but according to Neowin, who first reported the story, Microsoft have enacted a rapid-response protocol to limit the damage.

According to Neowin:

"It appears only accounts used to access Microsoft's Windows Live Hotmail have been posted, this includes @hotmail.com, @msn.com and @live.com accounts.

However, considering the Windows Live ID is a single sign-on solution for all Microsoft and Windows Live services, the implications could be a lot greater than first considered.

While phishing is relatively new in the grand scheme of online malware and threats, it seems the tens of thousands of users have mistaken a genuine login page for a fake one, and are now suffering the consequences.

This poses a question I have considered for some time now. There will no doubt be a number of students who have been a victim in this phishing campaign who have been sending and receiving important emails through the service, instead of their own university dedicated system.

Phishing often relies on the service targeted having a massive user base. In comparison to colleges and universities, Hotmail has a greater number of users worldwide, therefore the benefits reaped would be greater.

As a result, it is not clear whether users of Live@edu were targeted, considering the Windows Live ID sign-in process is identical to that of Hotmail. The potential, however, is very much there,

It is unclear at this time whether this is a "proof of concept" come protest-like attack, as the potential to take advantage of these accounts on a personal scale could be endless. But considering the details were published to the wider web, it seems to me it could be a way of alerting people to the consequences of phishing and/or the security of Hotmail.

With the simplicity of the Windows Live ID sign-in screen, to attempt to create a phishing site from this is surprisingly easy. However with the most recent browsers, a clear green bar or similar will indicate that in fact the sign-in screen is secure.

Nevertheless, it is an interesting story which may well see Microsoft bump up their security to Yahoo! anti-phishing standards.

Microsoft's statement:

"Over the weekend Microsoft learned that several thousand Windows Live Hotmail customers’ credentials were exposed on a third-party site due to a phishing scheme. As always, upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers.

As part of that investigation, we determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts."

Topics: Collaboration, Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

77 comments
Log in or register to join the discussion
  • wrong headline

    while I punch M$ every time it deserves it, phising points to user stupidity not to some sort of hacking or intrusion.
    That could potentially happen to ANY online email provider...just replace the phising screen.
    Linux Geek
    • Facts...

      have never stopped Zack from sensationalizing a story into an anti-Microsoft rant before....
      Joe_Raby
      • Sounds like it is more than a simple phishing attack. They are somehow

        redirecting the login screen, so you think you are
        actually logging into your account. That is
        different than clicking on a link in your email
        that asks for username and password.

        Let's wait and see what it really was.
        DonnieBoy
        • DNS

          Unpatched DNS vulnerabilities could lead to this, which is why the DNS flaws recently found were so important. If login.live.com gets redirected to a nasty site then it's the DNS provider's fault. However it's usually something in an e-mail saying you need to update account info, it has a URL Link that really goes to an IP address that mimics the site. If that is the case then it is user stupidity ignoring that you're at an IP and not the correct login address.
          LiquidLearner
          • Keep in mind

            That phishers aren't limited to using IP links.
            They could use a domain name like login.liwe.com
            or login.live.co and although you might notice it
            most of the time, all it takes is one mistake for
            them to have your account.

            Best to just never click links in emails at all.
            AzuMao
          • login.live.co

            I received 1 of those yesterday from a web mail "login.xyzyx.co," I thought it was a typo so I did a copy/paste to the address bar and I wound up with login.xyzyx.co on the address bar then I added the 'm' on the end and went ahead with the process of answering the request. I had just sent them a request for help so I was expecting the mail.
            Me_too
    • *claps*

      The one time I've actually agreed with Linux Geek.

      This story is all about the author trying to get page views and make money, very sad...
      TylerM89
      • Let's wait until we see what it really is. It does sound like more than a

        simple phishing attack. It sounds like it IS
        something that MS can fix.
        DonnieBoy
        • And here I thought..

          I was going crazy when I actually agreed with Linux Geek, but I'm glad you brought me back to reality, I knew it was to good to be true, Linux/OS zealots being... logical? Impossible!

          It actually sounds just like a phishing attack. 10,000 accounts? That's nothing. There are 10s of millions of users.
          TylerM89
          • Go tell those hacked that 10,000 hacked accounts is nothing, they'll like

            to hear you say that.

            People are not mere numbers, people are people.

            So much for your logic argument.
            The Mentalist
          • Way to skim the comment..

            If this was a hack, why only about 10,000 accounts? Why not millions, or tens of millions?

            People aren't numbers, but in this case, only 10,000 doesn't seem like a hack.

            Multiple reliable news sources stated this appears to be phishing, and not a hack.
            TylerM89
          • hacked???? Really?

            Nobody REALLY hacked their accounts. They typed all the info themselves. You can download all the images to your local computer and make a page that looks exactly like the original. Now you just need to lure customers to this web-site, record their username and password, and redirect the request to the original live.com. The customer would never know that a third-party web-site recorded his/her username and the password. Since this type of phishing became so popular many banks had to change their login process to prevent this happening.

            So,,,, dear author, how is this hacking?
            pupkin_z
          • It all depends on how they ended up at the site. If they were redirected

            there through a hack, of possible the DNS system,
            then that is quite a different story than if they
            clicked on a link in an email.
            DonnieBoy
          • Hold your horses

            How do you know the users typed the info themselves? Where did you read that? Do you have access to privileged info, something us mere mortals can't access?
            The Mentalist
          • @Mentalist

            What do you think a phishing attack is? If this is a phishing attack, which we have no reason to believe otherwise (regardless of how it occured), then the users typed in the info themselves. That's what phishing means.
            LiquidLearner
          • Come on, until we have more info, we can not just blame this on "stupid"

            users. Why is this only affecting hotmail users?
            DonnieBoy
          • Perhaps...

            that's because stupid users choose to use hotmail leading to the impression that it is the service that is at fault when in fact it isn't, it just happens that hotmail is unfortunate to only attract stupid users.
            The Mentalist
          • So the hundreds of people

            who fall victim to PayPal phishing attacks on a daily basis are using a service only stupid people use? I fail to see how you're pinning this on MS in any way, shape or form.
            LiquidLearner
          • This stupid user only used Hotmail for stupid email.

            I.E. when replying to ads, etc. Not for any REAL email. Hotmail is only useful for spam collection.
            No More Microsoft Software Ever!
          • Because...

            A criminals created extensive phishing sites for Hotmail? The same thing happens to banks, websites, and other notable companies. Windows Live happens to be massive.
            TylerM89