Microsoft Admits Phishing Attack Picked Up Hotmail Users' Details
Joseph F. Kovar
Microsoft wrote in a blog posted on its Windows Live site that the customer data was exposed due to a likely phishing scheme.
The hack was first reported Monday morning by the Neowin blog site.
In the blog, the writing of which was not attributed to a specific individual but instead to the "Windows Live team," Microsoft late Wednesday afternoon wrote that it was taking measures to block access to all the accounts that were exposed.
Microsoft is also providing resources to help users reclaim their accounts.
Neowin reported that details of the accounts of users who use hotmail.com, msn.com, and live.com to access Hotmail were posted on-line at a site used by developers to share code, and that copies of the list were posted in other locations.
At least 10,000 accounts starting with the letters "A" and "B" were exposed, but Neowin said this suggests that there could be additional lists of users' accounts.
Microsoft, in its response, said that it has requested that the users' credentials be removed, and that it has launched an investigation into the potential customer impact of the breach.
The hack was not a breach of internal Microsoft data, the company wrote.
Microsoft also used its blog to warn users against phishing in general.
"Our guidance to customers is to exercise extreme caution when opening unsolicited attachments and links from both known and unknown sources, and that they install and regularly update their anti-virus software," Microsoft said.
Microsoft also told victims of a phishing scheme to update their account information and change their password right away, and gave a step-by-step list of things to do if one falls prey to a phishing attack.
On the Neowin blog, several readers responded to the story with a warning that phishing attacks are not a result of Web site security problems, but the result of user carelessness.
When one respondent, "DomZ," wrote that the attack seems like a massive security breach, another respondent, "Coth," wrote, "phishing is not a site security breach. it's an end user brain security breach. it's just stupid people opening spam mails to right and left, clicking on every link and entering their passwords on faked pages without checking the address." (sic)
Coth's response was echoed by "_dandy_," who gave an example of the kind of user activity that leads to successful phishing attacks.
"Twice now in the last month or so, I've had to explain to some of my acquaintances that a site that asks you for your Messenger credentials in order to have it show you who's got you marked as blocked is nothing but a login harvester," _dandy_ wrote.
Another respondent, "+Iakobos," wrote that, while not all the accounts may have been real, users in general need to be careful. "I don't understand how people can be stupid enough to give their live details away to phishing scams," +Iakobos wrote.