Hotmail Phishing Attack: Time To Change Passwords
Microsoft confirmed recently that thousands of Windows Live Hotmail customer's credentials were exposed on a third-party website. According to Neowin, the account information was posted by an anonymous user at the Pastebin website.
The list that was posted contains over 10.000 account details of accounts starting with the letters A and B which suggests that additional lists may be in the hands of the third-party.
Initial investigations suggest that only accounts used to access Windows Live Hotmail were affected (which includes email accounts ending with hotmail.com, msn.com or live.com).
Microsoft determined that the attack was not a breach of internal Microsoft data and believes that the account data was gained by a phishing attack. Phishing attacks are common ways these days to lure users into entering their account data on websites that look like the real deal but are not.
It is often the case that users are redirected to the "real" website after they have entered the data on phishing sites so that they do not suspect any foul play as everything works as intended with the exception of having to enter the account credentials again.
Hotmail users are encouraged to immediately change their account password to protect the account from unauthorized access. It is furthermore recommended to change the account password on other websites if the same password was used for accounts there as well.
A good tool that can help users create and use secure passwords is the Last Pass extension which is available for Firefox, Internet Explorer and Google Chrome.
The most recent update confirms that more than 20,000 accounts are affected and that the list includes non-Hotmail accounts as well.
If you believe that your account may be affected, then it is suggested that you act immediately and change your account password on all accounts that may be affected by it, including those where you are using the same account password and username.
One of the best ways to protect your online accounts against phishing attacks is to use a password manager. You use it to generate a unique password for each service and need to remember only the master password to unlock the encrypted password database.
Update: We have published a follow-up article that provides an analysis of the leaked passwords.Advertisement