Today brought forth a new wave of details and even more questions related to the disclosure of Hotmail, MSN, and Live! credentials revealed yesterday by Neowin.com. This morning BBC reported on another 20,000 credentials posted on pastebin.com. They also disclosed that Google found a third list of credentials of undisclosed size.
The credentials posted this morning were not limited to Microsoft services; they also included Yahoo!, Gmail, AOL, Comcast, and Earthlink. The breadth and scope of this is intriguing as Microsoft and Google both have made statements insisting it is the result of phishing.
I am not willing to say it is not phishing, or related to phishing; however, it could be a combination of attacks leading to this large quantity of compromised accounts. Many trojans and other malware capture and upload any credentials cached by Internet Explorer and Firefox.
I mentioned yesterday the chance this was related to a MSN Messenger friends block verification scam that was popular at the end of August and beginning of September. Earlier that day SophosLabs reported on a similar scam targeting Microsoft passwords. This alone implies that if it is only phishing, multiple tactics were taken.
Many users have expressed concern to me today regarding the difficulty in changing their Microsoft credentials. When logging into your Hotmail or other Live! ID account it is not obvious how to change your password. You wouldn't think Microsoft would make something so important so difficult, but they do. Here is the easiest way I have found to change your Live!/Passport password.
- Go to http://login.live.com
- Enter your email address and password for the account in question
- Select Credentials
- Choose Change your password
- While entering the details I recommend checking the box "Make my password expire every 72 days"
You might ask, "Why would these thieves post these passwords in a public forum?". This is not entirely clear, but the precedent would be credit card thieves. They often steal hundreds, or thousands of cards and post a sample on underground message boards to demonstrate that they have real cards. Then they are able to sell the rest with the purchaser having been able to test the validity of their claim.
If the 30,000 are a limited sample of what they have obtained, then this could be a demonstration to potential customers of the stolen logins. If this is true the 30,000 users are the lucky ones. . . Microsoft, Google and the others can lock these accounts and prevent their further abuse. The remaining undisclosed accounts are free for the taking if users don't hear the message to change their passwords and better protect their identities.
What value do stolen email accounts have? Two primary scams come to mind.
- The hackers are able to penetrate the trust barrier. Your webmail account often contains a list of friends, family and acquaintances who trust you. This enables the attacker to victimize these contacts by virtue of their relationship with you.
- Logging into your account hackers are able to determine what other online services you use, and are able to perform password resets. This widens the net of identities they can capture and potentially enables them to reset your passwords to bank accounts, online payment systems, and other critical accounts.
If it is not already clear, reset all of your passwords. Be more vigilant than ever about clicking links in emails, even links on search engines. Only provide your credentials to websites that provide the service for which the user ID belongs.
Creative Commons image courtesy of Richard Parmiter's flickr photostream. Caption says "Passwords are like pants. You shouldn't leave them out where people can see them. You should change them regularly. And you shouldn't loan them out to strangers!"