Feeds

back to article 10,000 Hotmail passwords mysteriously leaked to web

Login credentials for more than 10,000 Microsoft Live accounts have been posted to the internet, most likely by miscreants who found them or harvested them in a phishing attack. In all, there were 10,028 pairs of user names and passwords posted to multiple pages of public upload website Pastebin.com, some of which remained live …

COMMENTS

This topic is closed for new posts.
Welcome

Alphabet soup

There would also be accounts which start with a number, natch. Plus, the use of letters within the alphabet is not distributed evenly.

Hotmail is a hotbed of criminality. Orders from customers using a hotmail email address are assessed as being a higher fraud risk, as are those supplying a mobile phone number instead of a landline. It all adds up... Add in an alternative delivery address and you're glad to have VBV and MSC 'protection' even if it does scare the bejesus out of customers trying to pay with their new card for the first time.

0
0

You should CoCoa

Not that I have come across a website that asks, as part of its sign up process, if you want to import your e-mail contacts to it so as your mates can 'join in'.

Ooooooo...

Mu-Huh

Login Name*

MuHuh

Login Password*

MuHuh

Thanks nicely we'll just be spamming all your contacts but, for the moment, that's a seriously impressive secure password you have just handed over to us. Tah......

..... bleh

0
0
WTF?

@Andrew Bush

"Orders from customers using a hotmail email address are assessed as being a higher fraud risk, as are those supplying a mobile phone number instead of a landline."

Hotmail accounts I can understand (although now it's moving to Gmail accounts instead), but mobile phone numbers...? That may be true of countries only now entering the 20th century, such as the UK, but in Finland the only people who have landline numbers are companies and people over 50. Mobile numbers and nothing else are the norm here and in many other countries. Where does that leave us?

0
0
WTF?

@ Anonymous Coward : 17.06

"That may be true of countries only now entering the 20th century, such as the UK, but in Finland the only people who have landline numbers are companies and people over 50. Mobile numbers and nothing else are the norm here and in many other countries. Where does that leave us?"

No fixed lines in Finland are they all on cable modems? No modems or ADSL?

0
0
Anonymous Coward

hotmail activity

I recently had some password reset requests that I never initiated for a hotmail account I hardly ever use. I just ignored them.

0
0
Anonymous Coward

Serves them right

Everyone has an account with an ISP. Everyone's account has at least one email address. Everyone can register a domain name.

So why behave like a newb housewife and use Hotmail? I can understand people doing this back in 1998....

0
0
Coat

Okay, I'll take a guess

It's the words 'password' and '12345' repeated 10,000 times...

Mine's the one with the login written on a post-it note.

0
0
FAIL

@Anonynous Coward : 17.06

Be my guest and dump your landline, but I'm telling you that it drags down your credit score and bumps up your fraud risk just as much as using a hotmail address for eCommerce transactions. Think about it for a minute will you?

0
0

List of emails

Is there a way to consult the list of compromised emails without also consulting the passwords?

PasteBin seems to be unavailable from where I am ;)

An account with an ISP, what a novel idea; what do you do when you change ISPs?

0
0
FAIL

re: Serves them right

"Everyone has an account with an ISP. Everyone's account has at least one email address. Everyone can register a domain name."

Really? And you enjoy moving your email address whenever you switch ISP? I moved away from that years ago, so much so that my ISP doesn't even offer email anymore. As for registering a domain name, yes I can (and have), but my mum sure as hell isn't going to.

"So why behave like a newb housewife and use Hotmail? I can understand people doing this back in 1998...."

Oh dear, let's try to not be too much of a douche about this one shall we? These people in 1998 that you forgive, any chance of them keeping that email address this long? I know I have. And the point of the story is IT'S NOT A HOTMAIL ISSUE

0
0
Flame

In (slightly) better news.

Vista is being replaced this month, and with literally two weeks to go, I've finally worked out that it is Windows Defender that causes the network cards on my machines to crash, while copying files from one machine to another.

Removing Defender, and Search, and less a dozen other services makes it run tolerably. (Mark you, they're only 4Gig Ram monsters of boxes.) Alas, being Acer's, the arcade deluxe BD player's gone tits up, just before I could watch Blu-rays without them stalling due to other processes coming in and hanging the box to see if I'm allowed to watch it.

Will I get a Windows 7 box? Well Messrs Ballmer and Gates, the answer is the same as will I buy Office 2007 with that stupid as fvck interface? **

No. I won't. I'm in the process of building super fast XP based hardware because despite loving microsoft at one time, I now fvcking hate them and spell their name with a lower case m. Until they remove all that stupid DRM crap, and make the VS IDE actually usable, I'll survive. I'm so fed up with some vanker at MS who at one time would have been a cleaner, having a say in what HCI should be because the government leans on big companies to take up the slack as far as unemployable single mothers are concerned. They should be in cleaning, the sex and food service industries, and journalism, not IT.

** Office 2007 - The product that even its writers admit will take 5 years to master if you use it one day a month (and have total recall to remember what you learned last time.)

0
0
FAIL

RE: Serves them right

Are you a total idiot?

You really don't get why people would have a non-isp e-mail account?

How about... portability? If you have a non-isp e-mail address you can change ISPs at a whim without losing you e-mail and having to keep telling people what your address is.

How about privacy? Only give personal contacts your 'real' address and use your free account for posting on forums, and other logins.

How about the simple fact that these passwords have most likely been stolen by means other than comrpomising hotmail servers? Pretty much no security system is immune to social engineering.

0
0
Anonymous Coward

Hotmail security breach

My sister's hotmail account was compromised last week, and identical spam emails were sent out seemingly from her account. She was out the country at the time and it was the spam I received that alerted me to a possible issue. It obviously wasn't from her. I checked her mail and found failed delivery messages where this spam email had been sent to her address book contacts. I googled the spam email I'd had, as a first port of call. It was reported on the MSN help pages by someone who had had the same experience:

http://windowslivehelp.com/community/t/121539.aspx

I changed her password, and this afternoon she's had failed login attempt warnings, so her p/w was harvested before last Friday. It also isn't hotmail customers A - B, its evidently a lot more than that and this started happening at least a week and a half ago.

It's a shame there isn't more information on how this happened, assuming that anyone apart from the perpetrator knows. Maybe this info will help others trace what's happened.

0
0

Hotmail isn't changing passwords just now

Manage your account

* View and edit your personal information

There's a temporary problem with the service. Please try again. If you continue to get this message, try again later

It's been like that all day.

0
0
WTF?

@ AC re: In (slightly) better news

"I'm so fed up with some vanker at MS who at one time would have been a cleaner, having a say in what HCI should be because the government leans on big companies to take up the slack as far as unemployable single mothers are concerned. They should be in cleaning, the sex and food service industries, and journalism, not IT"

Aside from the utter irrelevance of your comment, it's hard to know where to start here.. Were you bullied at school? (And was it by girls?)

At least you're showing them now eh, tiger? (that's with a lower case t)

0
0
Joke

OMG!

All my porn subscriptions might be compromised!

Panic!

0
0
3G

You really don't get why people would have a non-isp e-mail account?

You really don't get why people would have a non-isp e-mail account?

I'd add to that:

size: 1-3 gig of space

accessible from everywhere

better uptime and faster delivery than my ISP

better spam filtering than my ISP

0
0
Paris Hilton

saw a similar thing a few weeks ago

my sister decided to google for her hotmail username (a family nickname, fairly unique) out of interest, and found her user:pass on a list of over 1000 (non alphabetical) accounts on pastebin.ca

these were passwords from various uk-based isps and hotmail, etc. a common feature was that most of them were women, and a significant portion of the usernames and/or passwords had reference to things like tarot, astrology, feng shui, etc . . .

my sister frequents (or used to) a few sites doing tarot readings and things like that, so i'm assuming one or more of them was/is responsible/compromised.

about 60% of the 30 or so i tried allowed access to paypal.

scary stuff!

0
0
Anonymous Coward

Another theory

They created the accounts (over time) *and* leaked them.

Bad headlines for MS, no crime committed.

Muahahahaaha!

0
0

Excuse my ignorance.

What is Hotmail?

0
0
FAIL

Phew, at least it doesn't affect FaceFarce

Oh wait....

0
0
Pint

Hotmail has always been a bit naff

Why is Hotmail?!

Always been a pointless mail service. It was useful for one thing at one time, signing up to info sites and downloading demos. Then most sensible websites cottoned on to the fact that you can't trust Hotmail accounts and now hardly any websites accept Hotmail addresses.

You can get yourself a personal domain for as little as a fiver and some places will give you unlimited POP accounts with webmail interfaces, Freeparking being just one domain name seller. Most places will help newbs to get their email accounts setup on custom domains.

ISP email is pointless unless you're like my old man and only know about 5 people online. Uses an ISP for 1-2 years then changes, in the process binning all the spam and junk senders he's collected for the previous 12 months!

0
0
Gold badge
Coat

Re: Excuse my ignorance.

It's something a bit like a webmail service, only less reliable.

0
0

Email as the key to your bank account...

Much as it pains me to say so, this is probably not a Hotmail issue per se. It means that there's a large number of people out there whose accounts have been compromised by keyloggers and similar cruft.

I wonder how many of those email addresses are set up as the recipients for password change requests, and whether *those* passwords would allow unscrupulous individuals to make payments of some sort.

0
0
FAIL

@number-g

Well that explains it then. It's probably been because people have used the same password to sign up for less than reputable sites that they have for access to their hotmail. Idiots.

Also, @Neal 5 - No, no I will not forgive that level of ignorance.

0
0
FAIL

@Serves them right....

....

Lets see I've had my hotmail account (and yahoo) accounts for 10 years plus.

In that times, I've had

Compuserve

Demon

Freeserve

Blueyonder

Orange

O2

So it's better to use and ISP one is it. Lets see, one hotmail account or 6 ISP accounts. Oh lets not forget the loging page.

Hotmail.com

Not something random like, Blueyonder/mail/anoncoward. Oh hold now it's ntltelewest/blueyonder/email/Login?anoncoward ooops bought out again....Virgin/blueyonderewhatyouwant your%20old%20emailmail/anon..oh hold bought out again.......

But of course I could have a domain name, but the still have to set up fowarding (why have hosted email, no different to Hotmail), oh and pay for the service, then set up an email client to download it...unless I want to go to through the trama of above.

To quote "you Sir, are an arse"

0
0
Pirate

Just starting....

Did anyone think of the possible side effect?

If (there was a phishing/logging attack AND some accounts got pwned AND details were disclosed to public AND its all over the news)

{

Cue in even BIGGER phishing/logging attack. // Backed by 100x more ppl now genuinely scared because they read some new about something they dont have a clue about (or got told by someone even more clueless than them...

}

Boy oh boy, can i see next weeks headlines... "Millions pwned by phishing attack fueled by scaremongering and poor information".

0
0
Grenade

@Neal 5

No I won't excuse your ignorance. Idiot.

0
0
Anonymous Coward

Re:Serves them right

Because I don't want to be locked in to someone I pay money to, you fucking idiot.

0
0
Boffin

@Anonynous Coward and @Andrew Bush

The local phone company in Finland connected up our house to a landline for free in 2004, but we have never, ever had a landline phone. It is used for ADSL only.

Mobile usage in Finland is well over 100% now (many people have multiple subscriptions). So if some idiots want to base credit ratings on mobile usage they can go ahead, but they are only screwing themselves.

And I always use my Hotmail account when registering for sites unless I really trust them. And The Reg doesn't fall into that category.

0
0
Silver badge

Is this for real?

It seems entirely possible that someone just generated a list of likely sounding Hotmail names and passwords. The article makes no mention of these accounts being checked.

0
0
Thumb Down

@ AC 18:15

I'd rather Hotmail that Virgin Media's tempromental offering

0
0
Coat

@number-g

You'd have thought your sistyer would have seen this coming.

(c) Jimmy Carr (probably) 1998.

I've already got my coat on. Thanks for coming. You've been a lovely audience...

0
0
Flame

<title required>

"Then most sensible websites cottoned on to the fact that you can't trust Hotmail accounts and now hardly any websites accept Hotmail addresses."

Utter utter bollocks. I have *never* found a website that refused to let me sign up using my hotmail account (and I've signed up to 100s of sites, ecommerce, news, forums, game beta signups etc). One or two went into an enhanced verification mode which they stated they did for all free webmail providers.

As for other people suggesting using an ISP email account is a good idea or that the average person should register a domain name, you are an idiots, that is all.

I've had my account since shortly after hotmail started, I've never been hacked. For a free service the reliability has been good (the number of times I've been unable to access my mail is a small fraction of 1 percent). The people I know that have been hacked are generally the idiots (typically ones that send on chain mail hoaxes) and likely have a machine infested with spyware, or use their hotmail password every time they sign up to a random site using their hotmail address (clever that...).

0
0
Anonymous Coward

Hotmail

Works well for me. had it over 10 years, never been compromised to any degree that I've noticed, I use it for all my emailings except company related where I use whatever mail system the company I am working for provides. I am quite happy with it, and quite happy that I don't have any fuss when I change ISP and I don't have to pay for a domain that would likely be less secure than Hotmail anyway.

0
0
Black Helicopters

Just say..

Just say it, 4chan's business as usual.

0
0
Pint

Handy List

This makes a handy list of people daft enough to fall for a phishing scam, if nothing else.

0
0
WTF?

@ jodyfanning @Andrew Bush

"That may be true of countries only now entering the 20th century, such as the UK, but in Finland the only people who have landline numbers are companies and people over 50. Mobile numbers and nothing else are the norm here and in many other countries. Where does that leave us?"

"The local phone company in Finland connected up our house to a landline for free in 2004, but we have never, ever had a landline phone. It is used for ADSL only."

So the U.K is only now entering the 20th century but pre 2004 no one in Finland had a phone line? What about pre general mobile usage which was only 10 ish years ago, carrier pigeons for all?

0
0
FAIL

@ jodyfanning

Mobile usage in Finland is well over 100% now (many people have multiple subscriptions).

Even if everyone had twenty mobiles each usage still wouldn't be over 100% would it now? ;)

0
0
Happy

Well, since no-one else has said this...

"All your Hotmail are belong to us...somebody set us up the phishing..."

0
0

It's not just hotmail accounts...

Of course it's not just hotmail accounts. Only a n00b would thing otherwise.

http://news.bbc.co.uk/1/hi/technology/8292299.stm

0
0

Why the Hatemail for Hotmail?

I'll co-sign other commenters here: had Hotmail for over 10 years (in that time I've lived at 8 addresses and had many ISP's) and never had a problem. Easy, portable and doesn't cost a penny.

0
0
Thumb Down

I'd put money on this being ...

A couple of months ago, received an IM through MSN Messenger with the following message:

lol girls vs girls 8-| .. hahaha .. nice site .. check it out http://You-Looked-Crazy.com/

Obviously spam but happened to be working on a sandbox vm and it was a slow day so thought I'd see what the latest sh*t doing the rounds was before telling her someone had compromised her account.

Took me to a page that just asked me for my user|pass. Actually had terms and conditions too that said they would use the data for whatever they felt like which was quite amusing.

If this is what's generated the list, anyone on there is a victim of their own stupidity.

Anonymous as I've just called at least 1 friend stupid....

0
0
WTF?

I don't see what all the fuss is about

We know that phishing goes on, right?

We know that people fall for it.

We know that the bad guys keep all the logins that they harvest.

We know they have routines for testing the logins they harvest and keep the 'good' ones

So just because they publish 10,000 of them to prove their point. I think the only thing we learn from this is that some of them have egos and needed some attention? We knew that anyway.

I don't see why everyone is acting so surprised?

0
0
Paris Hilton

Google is your friend...

So first off its a good idea to google your own email address. This will confirm if your on a published list !

To see if others are. The cached pages of following google search terms real all.

pastebin yahoo

or

pastebin aol

etc etc

Paris.. Because she always losing her password.

0
0
Silver badge

@AC 07:41

You are spot on. A non-isp address has its many advantages, like not being tied to them like not having to change your subscriptions to any site every time you change provider.

I've been back to a number of sites I've forgotten over the years, got them to reset my forgotten password via email and continue on them.

Even when you don't change provider, you cant always take them with you. Take AOL with its screen names. Kid leave home and wants to take their name with them, AOL can't help. Its attached to the parent's account and even with permission from all, it cant be transferred.

People I've not emailed for years can still find me, although thats not always a good thing. And I don't have to spend a few hours trying to get an email address thats not full of numbers.

As for creating your own domain and having your email address on that, can be painful too with the added downside of costing more cash.

0
0
Flame

@Serves them right.... AC 18:15

It doesn't take much more than a fleeting thought to think of numerous reasons that people might want to use free Hotmail rather than their ISP's offerings or go to the trouble of paying for / registering a domain name and paying for or even hosting your own email, so why comment like a complete arse face - go and wipe your mouth, there is shit dribbling from it.

0
0
Pirate

30,000 Gmail passwords too

GMAIL - insecure by design.

http://www.pcmag.com/article2/0,2817,2353820,00.asp

0
0
Paris Hilton

@ "You really don't get why people would have a non-isp e-mail account?"

Three good reasons for not having a freetard email account:

1) you get to choose your own domain name

2) For ca. £20 a year you can have as much diskspace as Google/Microsoft/Yahoo et al offer, within reason (why would you store gigs of emails online anyway?!)

3) You don't look like a retard when dealing with companies or other people - "oh yeah, my email address is 2_funky_4_u_1983@hotmail.com" "... and you're the boss of your business are you?"

Particularly whenever you use email for business use, there's no excuse to not have your own domain. Being emailed by PR agents or tour managers from a Yahoo address is HIGHLY amateur.

Plus, 4) (kinda) - security through obscurity. Aside from all the other benefits (disposable forwarders, multiple POP3 inboxes etc), there's much less chance of being preyed upon for having a less-than-strong password if your email is all on your own domain. Script kiddies will hammer wordlists to try and get into as many free email accounts as possible, but I've never seen that happen to any of my own, private, paid for email addresses.

Even my technophobe mother has her own email address on her own domain name!

Paris, because her login portal's been hammered a few times

0
0
This topic is closed for new posts.