Phishing attack hits thousands of Hotmail accounts

Several thousand user account credentials have been posted on a public website as a result of a phishing attack
Written by Matthew Broersma, Contributor

Microsoft has confirmed that the login credentials for several thousand Hotmail email accounts have been posted on a public website as a result of a phishing scam, and said it is taking steps to protect Hotmail users.

"Over the weekend, Microsoft learned that several thousand Windows Live Hotmail customers' credentials were exposed on a third-party site due to a likely phishing scheme," Microsoft said in a statement published on a company blog on Monday. "Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers."

The software maker said its investigation found that there had been no breach of internal company data.

As a result of the attack, Microsoft said it has blocked access to all of the accounts exposed. Users can fill out a form on the Windows Live email support site to regain access to their accounts.

A list of about 10,000 email account credentials were initially posted on Pastebin.com. The website is ordinarily used by programmers for exchanging code, including accounts using hotmail.com, live.com and msn.com email addresses.

Paul Dixon, who runs Pastebin.com, confirmed the list had been posted on the site, which has been taken offline temporarily as a result of the breach.

"Pastebin.com was intended as a tool to aid software developers, not for distributing this sort of material," Dixon said in a statement on the site. "Filters have been put in place to prevent reoccurrence, but the current traffic level is unsustainable. Pastebin.com is just a fun side project for me, and today it's not fun. It will remain offline all day while I make some further modifications."

A further list of about 20,000 email accounts was also posted on Pastebin.com, containing login credentials for Gmail, Yahoo Mail, AOL, Comcast and Earthlink accounts, according to reports. The second list was seen by the BBC as well as by Neowin.com, the IT community website that initially reported the possible phishing breach.

Microsoft said customers should exercise caution in opening unsolicited attachments and links from both known and unknown sources, and advised the use of antivirus software.

"Phishing is an industry-wide problem, and Microsoft is committed to helping consumers have a safe, secure and positive online experience," the company stated.

Editorial standards