Share|

Neowin has today reported that thousands of Hotmail accounts have been hacked with the login details for the accounts posted online.  The BBC has also reported…

BBC News has seen a list of more than 10,000 accounts, which technology blog Neowin.net said had been posted online.

This was only names beginning with the initials A and B,suggesting there are more lists out there or to follow.  Microsoft, which owns Hotmail, one of the biggest web-based email services, has said they are “investigating the situation”.

hotmail1

First reports are that the account details have been gathered as part of a major phishing scam, this is where fake emails, purporting to be from Hotmail ask people to log into a fake site to ‘confirm’ their usernames and passwords.  Should you ever receive an email from any website asking you to do this you should instead forward the email to abuse@companyname.etc

It looks as though most of the accounts posted are from Europe.  Neowin said…

An anonymous user posted details of the accounts on October 1 at pastebin.com, a site commonly used by developers to share code snippets. The details have since been removed but Neowin has seen part of the list posted and can confirm the accounts are genuine and most appear to be based in Europe. The list details over 10,000 accounts starting from A through to B, suggesting there could be additional lists. Currently it appears only accounts used to access Microsoft’s Windows Live Hotmail have been posted, this includes @hotmail.com, @msn.com and @live.com accounts.

Neowin reported this to Microsoft the same day and, sensibly, held back breaking the story.

They do recommend that if you use Hotmail that you change your password and security question straight away. 

“At the moment we don’t know how the hackers got the passwords or how many they got,” Graham Cluley, consultant at security firm Sophos, told BBC News.

It’s generally known that around 40% of people use the same password for every website.

Whether this will instigate a mass panic is unknown.  If the source of the data really is a phishing scam then you’ll know whether you’re likely to be affected by it.  Until confirmation comes however there’s no way to be sure.  As soon as we find out we’ll let you know.