Microsoft confirmed recently that thousands of Windows Live Hotmail customer's credentials were exposed on a third-party website. According to Neowin, the account information was posted by an anonymous user at the Pastebin website.
The list that was posted contains over 10.000 account details of accounts starting with the letters A and B which suggests that additional lists may be in the hands of the third-party.
Initial investigations suggest that only accounts used to access Windows Live Hotmail were affected (which includes email accounts ending with hotmail.com, msn.com or live.com).
Microsoft determined that the attack was not a breach of internal Microsoft data and believes that the account data was gained by a phishing attack. Phishing attacks are common ways these days to lure users into entering their account data on websites that look like the real deal but are not.
It is often the case that users are redirected to the "real" website after they have entered the data on phishing sites so that they do not suspect any foul play as everything works as intended with the exception of having to enter the account credentials again.
Hotmail users are encouraged to immediately change their account password to protect the account from unauthorized access. It is furthermore recommended to change the account password on other websites if the same password was used for accounts there as well.
A good tool that can help users create and use secure passwords is the Last Pass extension which is available for Firefox, Internet Explorer and Google Chrome.
The most recent update confirms that more than 20,000 accounts are affected and that the list includes non-Hotmail accounts as well.
If you believe that your account may be affected, then it is suggested that you act immediately and change your account password on all accounts that may be affected by it, including those where you are using the same account password and username.
One of the best ways to protect your online accounts against phishing attacks is to use a password manager. You use it to generate a unique password for each service and need to remember only the master password to unlock the encrypted password database.
Update: We have published a follow-up article that provides an analysis of the leaked passwords.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.