back to article 10,000 Hotmail passwords mysteriously leaked to web

Login credentials for more than 10,000 Microsoft Live accounts have been posted to the internet, most likely by miscreants who found them or harvested them in a phishing attack. In all, there were 10,028 pairs of user names and passwords posted to multiple pages of public upload website Pastebin.com, some of which remained …

COMMENTS

This topic is closed for new posts.
  1. Andrew Bush
    Welcome

    Alphabet soup

    There would also be accounts which start with a number, natch. Plus, the use of letters within the alphabet is not distributed evenly.

    Hotmail is a hotbed of criminality. Orders from customers using a hotmail email address are assessed as being a higher fraud risk, as are those supplying a mobile phone number instead of a landline. It all adds up... Add in an alternative delivery address and you're glad to have VBV and MSC 'protection' even if it does scare the bejesus out of customers trying to pay with their new card for the first time.

  2. Camilla Smythe

    You should CoCoa

    Not that I have come across a website that asks, as part of its sign up process, if you want to import your e-mail contacts to it so as your mates can 'join in'.

    Ooooooo...

    Mu-Huh

    Login Name*

    MuHuh

    Login Password*

    MuHuh

    Thanks nicely we'll just be spamming all your contacts but, for the moment, that's a seriously impressive secure password you have just handed over to us. Tah......

    ..... bleh

  3. Anonymous Coward
    WTF?

    @Andrew Bush

    "Orders from customers using a hotmail email address are assessed as being a higher fraud risk, as are those supplying a mobile phone number instead of a landline."

    Hotmail accounts I can understand (although now it's moving to Gmail accounts instead), but mobile phone numbers...? That may be true of countries only now entering the 20th century, such as the UK, but in Finland the only people who have landline numbers are companies and people over 50. Mobile numbers and nothing else are the norm here and in many other countries. Where does that leave us?

  4. Anonymous Coward
    WTF?

    @ Anonymous Coward : 17.06

    "That may be true of countries only now entering the 20th century, such as the UK, but in Finland the only people who have landline numbers are companies and people over 50. Mobile numbers and nothing else are the norm here and in many other countries. Where does that leave us?"

    No fixed lines in Finland are they all on cable modems? No modems or ADSL?

  5. Anonymous Coward
    Anonymous Coward

    hotmail activity

    I recently had some password reset requests that I never initiated for a hotmail account I hardly ever use. I just ignored them.

  6. Anonymous Coward
    Anonymous Coward

    Serves them right

    Everyone has an account with an ISP. Everyone's account has at least one email address. Everyone can register a domain name.

    So why behave like a newb housewife and use Hotmail? I can understand people doing this back in 1998....

  7. Blain Hamon
    Coat

    Okay, I'll take a guess

    It's the words 'password' and '12345' repeated 10,000 times...

    Mine's the one with the login written on a post-it note.

  8. Andrew Bush
    FAIL

    @Anonynous Coward : 17.06

    Be my guest and dump your landline, but I'm telling you that it drags down your credit score and bumps up your fraud risk just as much as using a hotmail address for eCommerce transactions. Think about it for a minute will you?

  9. Andrew Stevenson

    List of emails

    Is there a way to consult the list of compromised emails without also consulting the passwords?

    PasteBin seems to be unavailable from where I am ;)

    An account with an ISP, what a novel idea; what do you do when you change ISPs?

  10. Anonymous Coward
    FAIL

    re: Serves them right

    "Everyone has an account with an ISP. Everyone's account has at least one email address. Everyone can register a domain name."

    Really? And you enjoy moving your email address whenever you switch ISP? I moved away from that years ago, so much so that my ISP doesn't even offer email anymore. As for registering a domain name, yes I can (and have), but my mum sure as hell isn't going to.

    "So why behave like a newb housewife and use Hotmail? I can understand people doing this back in 1998...."

    Oh dear, let's try to not be too much of a douche about this one shall we? These people in 1998 that you forgive, any chance of them keeping that email address this long? I know I have. And the point of the story is IT'S NOT A HOTMAIL ISSUE

  11. Anonymous Coward
    Flame

    In (slightly) better news.

    Vista is being replaced this month, and with literally two weeks to go, I've finally worked out that it is Windows Defender that causes the network cards on my machines to crash, while copying files from one machine to another.

    Removing Defender, and Search, and less a dozen other services makes it run tolerably. (Mark you, they're only 4Gig Ram monsters of boxes.) Alas, being Acer's, the arcade deluxe BD player's gone tits up, just before I could watch Blu-rays without them stalling due to other processes coming in and hanging the box to see if I'm allowed to watch it.

    Will I get a Windows 7 box? Well Messrs Ballmer and Gates, the answer is the same as will I buy Office 2007 with that stupid as fvck interface? **

    No. I won't. I'm in the process of building super fast XP based hardware because despite loving microsoft at one time, I now fvcking hate them and spell their name with a lower case m. Until they remove all that stupid DRM crap, and make the VS IDE actually usable, I'll survive. I'm so fed up with some vanker at MS who at one time would have been a cleaner, having a say in what HCI should be because the government leans on big companies to take up the slack as far as unemployable single mothers are concerned. They should be in cleaning, the sex and food service industries, and journalism, not IT.

    ** Office 2007 - The product that even its writers admit will take 5 years to master if you use it one day a month (and have total recall to remember what you learned last time.)

  12. Matt 5
    FAIL

    RE: Serves them right

    Are you a total idiot?

    You really don't get why people would have a non-isp e-mail account?

    How about... portability? If you have a non-isp e-mail address you can change ISPs at a whim without losing you e-mail and having to keep telling people what your address is.

    How about privacy? Only give personal contacts your 'real' address and use your free account for posting on forums, and other logins.

    How about the simple fact that these passwords have most likely been stolen by means other than comrpomising hotmail servers? Pretty much no security system is immune to social engineering.

  13. Anonymous Coward
    Anonymous Coward

    Hotmail security breach

    My sister's hotmail account was compromised last week, and identical spam emails were sent out seemingly from her account. She was out the country at the time and it was the spam I received that alerted me to a possible issue. It obviously wasn't from her. I checked her mail and found failed delivery messages where this spam email had been sent to her address book contacts. I googled the spam email I'd had, as a first port of call. It was reported on the MSN help pages by someone who had had the same experience:

    http://windowslivehelp.com/community/t/121539.aspx

    I changed her password, and this afternoon she's had failed login attempt warnings, so her p/w was harvested before last Friday. It also isn't hotmail customers A - B, its evidently a lot more than that and this started happening at least a week and a half ago.

    It's a shame there isn't more information on how this happened, assuming that anyone apart from the perpetrator knows. Maybe this info will help others trace what's happened.

  14. Danny 2

    Hotmail isn't changing passwords just now

    Manage your account

    * View and edit your personal information

    There's a temporary problem with the service. Please try again. If you continue to get this message, try again later

    It's been like that all day.

  15. Broccoli Spears
    WTF?

    @ AC re: In (slightly) better news

    "I'm so fed up with some vanker at MS who at one time would have been a cleaner, having a say in what HCI should be because the government leans on big companies to take up the slack as far as unemployable single mothers are concerned. They should be in cleaning, the sex and food service industries, and journalism, not IT"

    Aside from the utter irrelevance of your comment, it's hard to know where to start here.. Were you bullied at school? (And was it by girls?)

    At least you're showing them now eh, tiger? (that's with a lower case t)

  16. Anonymous Coward
    Joke

    OMG!

    All my porn subscriptions might be compromised!

    Panic!

  17. 3G

    You really don't get why people would have a non-isp e-mail account?

    You really don't get why people would have a non-isp e-mail account?

    I'd add to that:

    size: 1-3 gig of space

    accessible from everywhere

    better uptime and faster delivery than my ISP

    better spam filtering than my ISP

  18. number-g
    Paris Hilton

    saw a similar thing a few weeks ago

    my sister decided to google for her hotmail username (a family nickname, fairly unique) out of interest, and found her user:pass on a list of over 1000 (non alphabetical) accounts on pastebin.ca

    these were passwords from various uk-based isps and hotmail, etc. a common feature was that most of them were women, and a significant portion of the usernames and/or passwords had reference to things like tarot, astrology, feng shui, etc . . .

    my sister frequents (or used to) a few sites doing tarot readings and things like that, so i'm assuming one or more of them was/is responsible/compromised.

    about 60% of the 30 or so i tried allowed access to paypal.

    scary stuff!

  19. Anonymous Coward
    Anonymous Coward

    Another theory

    They created the accounts (over time) *and* leaked them.

    Bad headlines for MS, no crime committed.

    Muahahahaaha!

  20. Neal 5

    Excuse my ignorance.

    What is Hotmail?

  21. Anonymous Coward
    FAIL

    Phew, at least it doesn't affect FaceFarce

    Oh wait....

  22. Anonymous Coward
    Pint

    Hotmail has always been a bit naff

    Why is Hotmail?!

    Always been a pointless mail service. It was useful for one thing at one time, signing up to info sites and downloading demos. Then most sensible websites cottoned on to the fact that you can't trust Hotmail accounts and now hardly any websites accept Hotmail addresses.

    You can get yourself a personal domain for as little as a fiver and some places will give you unlimited POP accounts with webmail interfaces, Freeparking being just one domain name seller. Most places will help newbs to get their email accounts setup on custom domains.

    ISP email is pointless unless you're like my old man and only know about 5 people online. Uses an ISP for 1-2 years then changes, in the process binning all the spam and junk senders he's collected for the previous 12 months!

  23. TeeCee Gold badge
    Coat

    Re: Excuse my ignorance.

    It's something a bit like a webmail service, only less reliable.

  24. Mostor Astrakan

    Email as the key to your bank account...

    Much as it pains me to say so, this is probably not a Hotmail issue per se. It means that there's a large number of people out there whose accounts have been compromised by keyloggers and similar cruft.

    I wonder how many of those email addresses are set up as the recipients for password change requests, and whether *those* passwords would allow unscrupulous individuals to make payments of some sort.

  25. DrunkenMessiah
    FAIL

    @number-g

    Well that explains it then. It's probably been because people have used the same password to sign up for less than reputable sites that they have for access to their hotmail. Idiots.

    Also, @Neal 5 - No, no I will not forgive that level of ignorance.

  26. Anonymous Coward
    FAIL

    @Serves them right....

    ....

    Lets see I've had my hotmail account (and yahoo) accounts for 10 years plus.

    In that times, I've had

    Compuserve

    Demon

    Freeserve

    Blueyonder

    Orange

    O2

    So it's better to use and ISP one is it. Lets see, one hotmail account or 6 ISP accounts. Oh lets not forget the loging page.

    Hotmail.com

    Not something random like, Blueyonder/mail/anoncoward. Oh hold now it's ntltelewest/blueyonder/email/Login?anoncoward ooops bought out again....Virgin/blueyonderewhatyouwant your%20old%20emailmail/anon..oh hold bought out again.......

    But of course I could have a domain name, but the still have to set up fowarding (why have hosted email, no different to Hotmail), oh and pay for the service, then set up an email client to download it...unless I want to go to through the trama of above.

    To quote "you Sir, are an arse"

  27. Nuno trancoso
    Pirate

    Just starting....

    Did anyone think of the possible side effect?

    If (there was a phishing/logging attack AND some accounts got pwned AND details were disclosed to public AND its all over the news)

    {

    Cue in even BIGGER phishing/logging attack. // Backed by 100x more ppl now genuinely scared because they read some new about something they dont have a clue about (or got told by someone even more clueless than them...

    }

    Boy oh boy, can i see next weeks headlines... "Millions pwned by phishing attack fueled by scaremongering and poor information".

  28. Anonymous Coward
    Grenade

    @Neal 5

    No I won't excuse your ignorance. Idiot.

  29. Anonymous Coward
    Anonymous Coward

    Re:Serves them right

    Because I don't want to be locked in to someone I pay money to, you fucking idiot.

  30. jodyfanning
    Boffin

    @Anonynous Coward and @Andrew Bush

    The local phone company in Finland connected up our house to a landline for free in 2004, but we have never, ever had a landline phone. It is used for ADSL only.

    Mobile usage in Finland is well over 100% now (many people have multiple subscriptions). So if some idiots want to base credit ratings on mobile usage they can go ahead, but they are only screwing themselves.

    And I always use my Hotmail account when registering for sites unless I really trust them. And The Reg doesn't fall into that category.

  31. Ole Juul

    Is this for real?

    It seems entirely possible that someone just generated a list of likely sounding Hotmail names and passwords. The article makes no mention of these accounts being checked.

  32. Adam Salisbury
    Thumb Down

    @ AC 18:15

    I'd rather Hotmail that Virgin Media's tempromental offering

  33. RichyS
    Coat

    @number-g

    You'd have thought your sistyer would have seen this coming.

    (c) Jimmy Carr (probably) 1998.

    I've already got my coat on. Thanks for coming. You've been a lovely audience...

  34. Anonymous Coward
    Flame

    <title required>

    "Then most sensible websites cottoned on to the fact that you can't trust Hotmail accounts and now hardly any websites accept Hotmail addresses."

    Utter utter bollocks. I have *never* found a website that refused to let me sign up using my hotmail account (and I've signed up to 100s of sites, ecommerce, news, forums, game beta signups etc). One or two went into an enhanced verification mode which they stated they did for all free webmail providers.

    As for other people suggesting using an ISP email account is a good idea or that the average person should register a domain name, you are an idiots, that is all.

    I've had my account since shortly after hotmail started, I've never been hacked. For a free service the reliability has been good (the number of times I've been unable to access my mail is a small fraction of 1 percent). The people I know that have been hacked are generally the idiots (typically ones that send on chain mail hoaxes) and likely have a machine infested with spyware, or use their hotmail password every time they sign up to a random site using their hotmail address (clever that...).

  35. Anonymous Coward
    Anonymous Coward

    Hotmail

    Works well for me. had it over 10 years, never been compromised to any degree that I've noticed, I use it for all my emailings except company related where I use whatever mail system the company I am working for provides. I am quite happy with it, and quite happy that I don't have any fuss when I change ISP and I don't have to pay for a domain that would likely be less secure than Hotmail anyway.

  36. Anonymous Coward
    Black Helicopters

    Just say..

    Just say it, 4chan's business as usual.

  37. Bilgepipe
    Pint

    Handy List

    This makes a handy list of people daft enough to fall for a phishing scam, if nothing else.

  38. Anonymous Coward
    WTF?

    @ jodyfanning @Andrew Bush

    "That may be true of countries only now entering the 20th century, such as the UK, but in Finland the only people who have landline numbers are companies and people over 50. Mobile numbers and nothing else are the norm here and in many other countries. Where does that leave us?"

    "The local phone company in Finland connected up our house to a landline for free in 2004, but we have never, ever had a landline phone. It is used for ADSL only."

    So the U.K is only now entering the 20th century but pre 2004 no one in Finland had a phone line? What about pre general mobile usage which was only 10 ish years ago, carrier pigeons for all?

  39. Anonymous Coward
    FAIL

    @ jodyfanning

    Mobile usage in Finland is well over 100% now (many people have multiple subscriptions).

    Even if everyone had twenty mobiles each usage still wouldn't be over 100% would it now? ;)

  40. Anonymous Coward
    Happy

    Well, since no-one else has said this...

    "All your Hotmail are belong to us...somebody set us up the phishing..."

  41. ContentsMayVary

    It's not just hotmail accounts...

    Of course it's not just hotmail accounts. Only a n00b would thing otherwise.

    http://news.bbc.co.uk/1/hi/technology/8292299.stm

  42. Stu 3

    Why the Hatemail for Hotmail?

    I'll co-sign other commenters here: had Hotmail for over 10 years (in that time I've lived at 8 addresses and had many ISP's) and never had a problem. Easy, portable and doesn't cost a penny.

  43. Anonymous Coward
    Thumb Down

    I'd put money on this being ...

    A couple of months ago, received an IM through MSN Messenger with the following message:

    lol girls vs girls 8-| .. hahaha .. nice site .. check it out http://You-Looked-Crazy.com/

    Obviously spam but happened to be working on a sandbox vm and it was a slow day so thought I'd see what the latest sh*t doing the rounds was before telling her someone had compromised her account.

    Took me to a page that just asked me for my user|pass. Actually had terms and conditions too that said they would use the data for whatever they felt like which was quite amusing.

    If this is what's generated the list, anyone on there is a victim of their own stupidity.

    Anonymous as I've just called at least 1 friend stupid....

  44. This post has been deleted by its author

  45. Steven Hollis
    Paris Hilton

    Google is your friend...

    So first off its a good idea to google your own email address. This will confirm if your on a published list !

    To see if others are. The cached pages of following google search terms real all.

    pastebin yahoo

    or

    pastebin aol

    etc etc

    Paris.. Because she always losing her password.

  46. Wize

    @AC 07:41

    You are spot on. A non-isp address has its many advantages, like not being tied to them like not having to change your subscriptions to any site every time you change provider.

    I've been back to a number of sites I've forgotten over the years, got them to reset my forgotten password via email and continue on them.

    Even when you don't change provider, you cant always take them with you. Take AOL with its screen names. Kid leave home and wants to take their name with them, AOL can't help. Its attached to the parent's account and even with permission from all, it cant be transferred.

    People I've not emailed for years can still find me, although thats not always a good thing. And I don't have to spend a few hours trying to get an email address thats not full of numbers.

    As for creating your own domain and having your email address on that, can be painful too with the added downside of costing more cash.

  47. Anonymous Coward
    Flame

    @Serves them right.... AC 18:15

    It doesn't take much more than a fleeting thought to think of numerous reasons that people might want to use free Hotmail rather than their ISP's offerings or go to the trouble of paying for / registering a domain name and paying for or even hosting your own email, so why comment like a complete arse face - go and wipe your mouth, there is shit dribbling from it.

  48. Bruce 9
    Pirate

    30,000 Gmail passwords too

    GMAIL - insecure by design.

    http://www.pcmag.com/article2/0,2817,2353820,00.asp

  49. Christopher W
    Paris Hilton

    @ "You really don't get why people would have a non-isp e-mail account?"

    Three good reasons for not having a freetard email account:

    1) you get to choose your own domain name

    2) For ca. £20 a year you can have as much diskspace as Google/Microsoft/Yahoo et al offer, within reason (why would you store gigs of emails online anyway?!)

    3) You don't look like a retard when dealing with companies or other people - "oh yeah, my email address is 2_funky_4_u_1983@hotmail.com" "... and you're the boss of your business are you?"

    Particularly whenever you use email for business use, there's no excuse to not have your own domain. Being emailed by PR agents or tour managers from a Yahoo address is HIGHLY amateur.

    Plus, 4) (kinda) - security through obscurity. Aside from all the other benefits (disposable forwarders, multiple POP3 inboxes etc), there's much less chance of being preyed upon for having a less-than-strong password if your email is all on your own domain. Script kiddies will hammer wordlists to try and get into as many free email accounts as possible, but I've never seen that happen to any of my own, private, paid for email addresses.

    Even my technophobe mother has her own email address on her own domain name!

    Paris, because her login portal's been hammered a few times

This topic is closed for new posts.

Other stories you might like