Neowin.net is reporting that over 10,000 usernames and passwords were publicly disclosed from users of hotmail.com, msn.com, and live.com email services. All of the accounts initially posted begin with the letter a or b, suggesting that this may be the tip of the iceberg.
BBC News contacted Microsoft and was able to confirm the validity of the accounts that were released.
Microsoft has released a public statement saying their investigation determined the IDs were stolen through a phishing attack. Part of their statement said “As part of that investigation, we determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts.”
This raises the question of how many people fell victim to this attack, and is it still underway? I may not be able to answer these questions, but with over 10,000 accounts exposed from the first 2 letters of the alphabet the scope of this fraud could be very large. Users who have followed Graham’s advice about using separate passwords for each site they use will minimize their exposure to just Microsoft’s online services.
Another question is what Microsoft means by “due to a phishing scheme”. Was this another view your blocked MSN friends website, or was it a direct phish of an impostor Hotmail login page? SophosLabs blogged about these attacks early in September, and it seems likely this may be related.
Computer World reported that this may be a similar attack to the one that disclosed private emails of vice presidential candidate Sarah Palin during last years U.S. election. I find this to be highly improbable. To compromise 10,000 or more accounts in an apparently serial manner would not be practical by guessing security questions. It is far more likely an that users were duped into providing their passwords to a fraudulent website posing as Microsoft or an affiliate.
My recommendation for users of Microsoft’s online services is to change your passwords immediately. You are better to be safe than sorry, and password rotation is something we are often too lazy to do. This is a great time to log into those Facebook, Twitter, Gmail, and Yahoo! accounts and do likewise as a simple best practice to prevent yourself from becoming a victim of habit.
Password rotation is not fun, but it is a great preventative to these types of disclosures.
If you are an IT administrator this would be a great time to remind your users to change their Microsoft Live!, MSN, and Hotmail passwords. Additionally, as always, be sure your anti-spam protection is current and educate your users about phishing and clicking links in email. Sophos Web Appliance customers have been protected against the MSN friends scam for some time now, however technology and education are always the best solution.
Creative Commons image courtesy of ToastyKen’s flickr photostream