San Francisco - The passwords to more than 10,000 Hotmail accounts have been compromised and posted online, Microsoft confirmed Monday in what appears to be one of the largest phishing schemes ever. The huge security breach was first reported by the website neowin.net, which said a list of the account details had been posted last week on pastebin.com, a forum used by software developers.
But while the initial report indicated a security breach at Hotmail's servers, Microsoft said that the sensitive data most likely emanated from a phishing scheme in which Hotmail users were tricked into entering their information in a bogus site.
"Over the weekend, Microsoft learned that several thousand Windows Live Hotmail customers' credentials were exposed on a third-party site due to a likely phishing scheme," Microsoft said in a statement.
"Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers. As part of that investigation, we determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts."
According to Neowin, the list was posted Friday at pastebin.com but has since been taken down. The site said it had seen parts of the list and that the accounts appeared to be genuine and mostly based in Europe. The list detailed accounts starting from A through B, suggesting that additional accounts may also have been compromised.
Exacerbating the threat is the fact that many people use the same log-on information for Hotmail and other online resources offered by Microsoft, which could expose sensitive information. Neowin recommended Hotmail users to change their password and security section immediately.
