More than 10,000 user names and passwords for Hotmail and other Microsoft services were anonymously posted over the weekend at a free site for programmers, it was reported Monday, prompting security experts to recommend that users change their passwords.
Microsoft said it was investigating the posting to a coding site called pastebin.com, which hinted at a much bigger password collection: according to tech news site Neowin.net, the account names all started with A or B.
The company said it got the data removed and was “working to help customers regain control of their accounts.” It said the information was compiled as the result of a phishing scheme, in which users are tricked into giving up personal information.
Hacked email accounts have lower value in underground commerce than do banking logins. But they can be useful to criminals as a tool for getting additional access to financial or other sensitive data. Reading old mail can turn up log-in information for corporate accounts, as Twitter learned, and it can lead to social networks.
Compromised social networks accounts, in turn, are more effective in inducing connected individuals to click on malicious links that install software for stealing all data entered on the peoples’ machines.
It remains unclear why someone would post a password list for free, instead of trying to sell it on an online forum. But compromised credit card numbers are often “dumped” in such a manner, spreading the fraud around and muddying the waters for investigators trying to sort out who first misused a set of accounts.
