Hotmail hacked

Post date: Oct 08, 2009 2:34:58 AM

Hotmail hacked: Thousands of account details published online

http://blogs.zdnet.com/igeneration/?p=3015

Update (19:55 GMT): added statement from Microsoft at the end.

Thousands, perhaps tens of thousands of Hotmail accounts have been hacked through phishing sites and published online, according to the BBC.

The news is still breaking but according to Neowin, who first reported the story, Microsoft have enacted a rapid-response protocol to limit the damage.

According to Neowin:

“It appears only accounts used to access Microsoft’s Windows Live Hotmail have been posted, this includes @hotmail.com, @msn.com and @live.com accounts.

However, considering the Windows Live ID is a single sign-on solution for all Microsoft and Windows Live services, the implications could be a lot greater than first considered.

While phishing is relatively new in the grand scheme of online malware and threats, it seems the tens of thousands of users have mistaken a genuine login page for a fake one, and are now suffering the consequences.

This poses a question I have considered for some time now. There will no doubt be a number of students who have been a victim in this phishing campaign who have been sending and receiving important emails through the service, instead of their own university dedicated system.

Phishing often relies on the service targeted having a massive user base. In comparison to colleges and universities, Hotmail has a greater number of users worldwide, therefore the benefits reaped would be greater.

As a result, it is not clear whether users of Live@edu were targeted, considering the Windows Live ID sign-in process is identical to that of Hotmail. The potential, however, is very much there,

It is unclear at this time whether this is a “proof of concept” come protest-like attack, as the potential to take advantage of these accounts on a personal scale could be endless. But considering the details were published to the wider web, it seems to me it could be a way of alerting people to the consequences of phishing and/or the security of Hotmail.

With the simplicity of the Windows Live ID sign-in screen, to attempt to create a phishing site from this is surprisingly easy. However with the most recent browsers, a clear green bar or similar will indicate that in fact the sign-in screen is secure.

Nevertheless, it is an interesting story which may well see Microsoft bump up their security to Yahoo! anti-phishing standards.

Microsoft’s statement:

“Over the weekend Microsoft learned that several thousand Windows Live Hotmail customers’ credentials were exposed on a third-party site due to a phishing scheme. As always, upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers.

As part of that investigation, we determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts.”

By Zack Whittaker, the youngest in the ZDNet network, is a British student at the University of Kent, Canterbury, where he studies BA (Hons) Criminology and Social Policy. His insight into the next-generation is unique and first-hand, sharing his knowledge of the here and now but more importantly, what's next and how to get there. You can read his public biography and his work disclosures of his current and past industry affiliations.