Passwords stolen & posted online for Hotmail.

[Kimberle]

Just saw this on 2 different news stations. If you have a hotmail account, better change your password. This happened over the w/end.

 

[java]

which could explain why I can't get in.

 

[luvmy3]

which could explain why I can't get in.

I couldn't get in last week, but had it reset. I really wish they would have explained why.

 

[BibbidiBobbidiBOO]

I am guessing/hoping those affected would be blocked or notified.
http://in.reuters.com/article/technology-media-telco-SP/idINN0539714520091005

Microsoft said the passwords had been removed from the offending website, which it did not identify, and said it had blocked access to all affected accounts and was helping users to reclaim their Hotmail accounts. The software company said the exposure of the passwords was not a breach of any Microsoft servers.

 

[Kimberle]

bump

 

[MinnieMe87]

Thanks for posting this, I hadn't heard anything about it!

 

[Feej]

Also reading today that this has also happened to Google and Yahoo. Some sort of phishing scam.

 

[etoiles]

Thanks for this! People are constantly trying to break into my account so I changed my password right away.

 

[FireDancer]

There was another thread about this yesterday. Below is what I posted there for what it's worth:

Like Microsoft, Google was quick to point out that the phishing scheme was a "scam to get users to give away their personal information to hackers" and not an internal security issue. It didn't say how users fell victim to the scheme.

If you are confident you were not socially engineered to give up your password, which is all a phishing scheme really is, you are safe. The underlying issue isn't so much that the passwords are posted, most phishing schemes result in passwords being traded on certain black hat forums, as much as people are still falling for these scams.

I am the Information Systems Coordinator of a financial institution so phishing is on my radar but every single example of it I have seen had some pretty obvious signs it was not kosher.

 

[Kim&Chris]

I think I'm going to change my password to HOTMAIL SUCKS.

A few months ago, someone other than me changed my password, all my personal info, etc. Ridiculous. They stink.

 

[FireDancer]

I think I'm going to change my password to HOTMAIL SUCKS.

A few months ago, someone other than me changed my password, all my personal info, etc. Ridiculous. They stink.

It might be that you had too easy a password or your password reset questions were too easy to guess. For example "Tn%^87perNJ" is a good password while using something like your name or an English word without numbers and symbols that can be dictionary attacked is not. Having easily guessable or socially engineer-able reset questions is also a problem. Often times someone has enough information in their Facebook account to answer their 3 questions and reset their password. If the questions are something like in what city were you born, where did you go to high school, your mother's maiden name, or the name of your pet the best strategy is not to answer correctly. So much of that kind of information can be found on message boards people visit or social pages they set up.

This particular breach was the result of phishing. Phishing along with click jacking, malicious scripts, DNS spoofing, having bluetooth enabled on any phone that contains data, packet sniffing through unencrypted WiFi AP's, and ARP poisoning are all ways that people can get passwords and personal information and all are easily avoidable. I could sit in a Starbucks with an open WiFi point and pull packets out of the air all day. If people use these kids of things without taking simple precautions like only entering personal information into SSL encrypted sites or using a VPN for sensitive information they can get their information stolen with very simple to use available equipment.

 

[Kim&Chris]

It might be that you had too easy a password or your password reset questions were too easy to guess. For example "Tn%^87perNJ" is a good password while using something like your name or an English word without numbers and symbols that can be dictionary attacked is not. Having easily guessable or socially engineer-able reset questions is also a problem. Often times someone has enough information in their Facebook account to answer their 3 questions and reset their password. If the questions are something like in what city were you born, where did you go to high school, your mother's maiden name, or the name of your pet the best strategy is not to answer correctly. So much of that kind of information can be found on message boards people visit or social pages they set up.

This particular breach was the result of phishing. Phishing along with click jacking, malicious scripts, DNS spoofing, having bluetooth enabled on any phone that contains data, packet sniffing through unencrypted WiFi AP's, and ARP poisoning are all ways that people can get passwords and personal information and all are easily avoidable. I could sit in a Starbucks with an open WiFi point and pull packets out of the air all day. If people use these kids of things without taking simple precautions like only entering personal information into SSL encrypted sites or using a VPN for sensitive information they can get their information stolen with very simple to use available equipment.

Thanks, but I was really only kidding about that password