Microsoft confirms phishers stole 'several thousand' Hotmail passwords
Denies security breach of the service; phishing expert calls it 'one of the biggest' ever
Computerworld - Microsoft today confirmed that thousands of Windows Live Hotmail account usernames and passwords had leaked to the Internet, but said the credentials were "likely" stolen in a phishing attack.
The company denied that its Web-based e-mail service had been hacked and the account log-in information stolen because of some lapse on its part.
Earlier today, Neowin.net reported that more than 10,000 accounts had been compromised and speculated that Hotmail had either suffered a breach or an aggressive phishing campaign had collected the usernames and passwords by duping people into divulging the information.
"We determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts," a Microsoft spokeswoman said in an e-mail to questions posed earlier today by Computerworld.
Microsoft did acknowledge that Hotmail accounts had been compromised. "Over the weekend Microsoft learned that several thousand Windows Live Hotmail customers' credentials were exposed on a third-party site due to a likely phishing scheme," the same spokeswoman added.
"That's a big result for a phishing campaign," said Dave Jevans, the chairman of the Anti-Phishing Working Group (APWG), an industry association dedicated to fighting online identity theft. "But it's not outside the realm of possibility. We've seen 50,000 to 75,000 [compromised] accounts when phishers target an ISP with millions of users."
Hotmail has about 400 million registered users, according to Microsoft, although the company declined to spell out how many are active users of the service.
"A .05% rate, which is what 100,000 users would represent, isn't unreasonable for 10 to 20 million users," Jevans said. "They wouldn't have to spam every [Hotmail] user to get that."
According to Neowin.net, which first reported the Hotmail incident, more than 10,000 accounts had been compromised. However, Neowin said it had seen only a partial list -- accounts with usernames starting with "A" or "B" -- and suspected that the total could be much larger.
If the 10,000 accounts for A-B are extrapolated to the full alphabet, it's possible that over 100,000 accounts were compromised. "If that's the case, this would definitely be one of the biggest single phishing events," said Jevans. "But it could be the result of a long period of time, months and months of harvesting."
Although the number of phishing attacks declined earlier this year, they have recent stormed back, said Jevans. "They're close to, or at, an all-time peak," he said.
Both Microsoft and Jevans recommended that all Hotmail users change their passwords, just in case. "Change it, ASAP," urged Jevans.
Read more about Security in Computerworld's Security Topic Center.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!