Hotmail, Gmail, AOL and Yahoo email passwords hacked, accounts at risk

[Al-khiyal]

Hacker leaks thousands of Hotmail passwords, says site

October 5, 2009 -- More than 10,000 usernames and passwords for Windows Live Hotmail accounts were leaked online late last week, according to a report by Neowin.net, which claimed that they were posted by an anonymous user on pastebin.com last Thursday. The post has since been taken down. Neowin reported that it had seen part of the list. "Neowin has seen part of the list posted and can confirm the accounts are genuine and most appear to be based in Europe," said the site. "The list details over 10,000 accounts starting from A through to B, suggesting there could be additional lists."

Hotmail usernames and passwords are often used for more than logging into Microsoft's online e-mail service, however. Many people log onto a wide range of Microsoft's online properties -- including the trial version of the company's Web-based Office applications, the Connect beta test site and the Skydrive online storage service -- with their Hotmail passwords. It was unknown how the usernames and passwords were obtained, but Neowin speculated that they were the result of either a hack of Hotmail or a massive phishing attack that had tricked users into divulging their log-on information. Accounts with domains of @hotmail.com, @msn.com and @live.com were included in the list.

Microsoft representatives in the U.S. were not immediately able to confirm Neowin's account, or answer questions, including how the usernames and passwords were acquired. The BBC, however, reported early Monday that Microsoft U.K. is aware of the report that account information had been available on the Web, and said it's "actively investigating the situation and will take appropriate steps as rapidly as possible." If Neowin's account is accurate, the Hotmail hack or phishing attack would be one of the largest suffered by a Web-based e-mail service.

Last year, a Tennessee college student was accused of breaking into former Alaska governor Sarah Palin's Yahoo Mail account in the run-up to the U.S. presidential election. Palin, the Republican vice presidential nominee at the time, lost control of her personal account when someone identified only as "rubico" reset her password after guessing answers to several security questions. David Kernell was charged with a single count of accessing a computer without authorization by a federal grand jury last October. Kernell's case is ongoing. Shortly after the Palin account hijack, Computerworld confirmed that the automated password-reset mechanisms used by Hotmail, Yahoo Mail and Google's Gmail could be abused by anyone who knew an account's username and could answer a single security question.

If you are a Windows Live Hotmail user
Neowin recommends that you change your password
and security question immediately.

[Al-khiyal]

Hotmail passwords posted online, accounts at risk

October 5, 2009 -- Users of that hoary old web mail service Hotmail have a new reason to regret their devotion: Over the weekend, thousands of user names and passwords from the service were posted on a data-sharing service called Pastebin, with potentially hundreds of thousands of additional users at risk. Over 10,000 accounts on Hotmail (still the largest web-based email service in the world) are immediately known to be affected.

That's actually a very small figure in comparison to the vast number of Hotmail users out there, but the list of hacked accounts (it has since been removed from the Pastebin site) reportedly began with the letter A or B and were listed alphabetically. That might indicate that only a small subset of the total number of hacked accounts were posted online, and that the account information for those beginning with letters C through Z may have been posted elsewhere or is simply being traded privately for now. Impacted accounts involve all of Microsoft's most commonly-used domains: hotmail.com, msn.com, and live.com.

Microsoft confirms that the list is not a hoax and that the account details are genuine. Most seem to involve users residing in Europe, but the company had no information on how the accounts might have been compromised, or whether a security flaw on the Hotmail website was responsible. Poor password selection or an insecure third-party website to which users had provided login information may also be the culprits here.

Naturally, all Hotmail users are advised to change their password and any password-recovery security questions immediately.

[Al-khiyal]

List of 10,033 phished Hotmail account passwords posted online, were still available in Google’s cache

October 5, 2009 -- Neowin.net has reported regarding a possible Windows Live Hotmail “hack” or phishing scheme where password details of thousands of Hotmail accounts have been posted online. An anonymous user posted details of the accounts on October 1 at pastebin.com, a site commonly used by developers to share code snippets. The details have since been removed but according to Neowin, the accounts are genuine and most appear to be based in Europe. The list details over 10,033 accounts starting from A through to B, suggesting this is only a part of a bigger list. Currently it appears only accounts used to access Microsoft’s Windows Live Hotmail have been posted, this includes @hotmail.com, @msn.com and @live.com accounts. Some accounts are from @hotmail.fr, @live.it, a few from @yahoo.es. Neowin has reported this immediately to Microsoft’s Security Response Center and to Microsoft’s PR teams in the UK and US and we are currently awaiting feedback on the situation. As this is a breaking story, updates by Neowin can be found here. If you are a Windows Live Hotmail user Neowin recommends that you change your password and security question immediately. According to Neowin, Microsoft has fully confirmed their initial reports. According to a Microsoft spokesperson “over the weekend Microsoft learned that several thousand Windows Live Hotmail customer’s credentials were exposed on a third-party site due to a likely phishing scheme. Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers. As part of that investigation, we determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts.”

Unfortunately, according to our check, the list can still be found in Google’s cache, here is the screenshot:

Google has already been contacted by CyberInsecure in order to remove the cached page from search results.

UPDATE: Google removed cached page after about 3 hours.

[Al-khiyal]

اختراق الاف حسابات "هوتميل" ونشر تفاصيلها على الانترنت

اكدت شركة مايكروسوفت ان حسابات الاف الاشخاص في خدمة البريد الالكتروني هوتميل تم اختراقها في عملية قرصنة واسعة.

واطلعت بي بي سي نيوز على قائمة ضمت اكثر من 10 الاف حساب بريد الكتروني واشتملت القائمة على كلمات السر لهذه الحسابات منشورة على شبكة الانترنت.

واعلنت شركة مايكروسوفت التي تملك خدمة البريد الالكتروني المجانية انها اطلقت تحقيقا في الموضوع.

يشار الى ان القرصنة عبر المواقع الوهمية التي تقلد مواقع انترنت شهيرة تصطاد مرتاديها عندما يدخلون اسم التعريف وكلمة السر الخاصة بهم.

وقال المتحدث باسم مايكروسوفت ان الشركة على علم بان "المعلومات السرية لعدد من مستخدمي خدمة ويندوز لايف هوتميل تم الحصول عليها بشكل غير قانوني وتم نشرها على موقع على الانترنت".

وبمجرد معرفتها، قالت مايكروسوفت انها طلبت ازالة هذه المعلومات من شبكة الانترنت، واطلقت تحقيقا في مدى تضرر عملاء الشركة.

الى ذلك قال جراهام كلولي، المستشار في شركة سوفوس المتخصصة في الامن في حديث لبي بي سي ان القائمة المنشورة قد تكون جزء من قائمة اخرى مطولة تضم اسماء اكثر.

واشار "لا نعلم حتى الان حجم المشكلة".

ونشر موقع neowin.net تفاصيل عملية القرصنة لاول مرة والتي قالت ان قائمة الاسماء نشرت لاول مرة في 1 اكتوبر/تشرين الاول على موقع pastebin.com وهو موقع يستخدمه مطورو برامج الكمبيوتر للمشاركة في خبراتهم.

وبرغم ازالة القائمة من على شبكة الانترنت، فان بي بي سي نيوز اطلعت على اكثر من 10 الاف اسم تبدأ بحرفي الالف والباء.

وتاكدت بي بي سي ان الحسابات حقيقية وان نسبة كبيرة منها تعود لاشخاص في اوروبا.

ونصح خبراء امن المعلومات مستخدمي هوتميل بتغيير كلمات السر الخاصة بهم.

يشار الى ان هوتميل هو اكبر موفر لخدمة البريد الالكتروني المجانية على شبكة الانترنت في العالم.

[Al-khiyal]

Votre mot de passe d'Hotmail a-t-il été dévoilé sur le Web?

Lundi 5 Octobre 2009 -- Une attaque par piratage ou par hameçonnage qui visait Windows Live Hotmail a eu des répercussions sur un grand nombre d'utilisateurs: une dizaine de milliers de mots de passe permettant d'accéder à leur compte Hotmail ont été dévoilés sur le Web. C'est le site Neowin qui en a été informé en premier. Leurs journalistes affirment que la liste de mots de passe a été ajoutée le 1er octobre et publiée en tant qu'article dans le forum pour développeurs Pastebin.com; cette liste aurait maintenant été retirée. Neowin prétend que les adresses courriel de Windows Live Hotmail étaient valides et que la majorité d'entre elles sont détenues par des utilisateurs européens. De plus, les adresses courriel piratées répertoriées dans la liste originale commençaient par les lettres «a» et «b» et suivie par:

- @hotmail.com
- @msn.com
- @live.com

Néanmoins, d'autres listes pourraient avoir été publiées sur d'autres sites et elles pourraient inclure des utilisateurs de Windows Live Hotmail en Amérique. Microsoft n'a pas encore confirmé l'existence d'une faille de sécurité, mais l'entreprise a indiqué aujourd'hui qu'elle était au courant et qu'elle tente de résoudre ce problème. Microsoft suggère aux utilisateurs de ne pas prendre de risque et de changer le plus rapidement possible leur mot de passe et leur question de sécurité.

[Al-khiyal]

Gmail, Yahoo and AOL dragged into Hotmail hack alert

October 6, 2009 -- The theft of thousands of passwords to online email services is now known to include account details for all major e-mail providers, including Hotmail, Gmail, Yahoo and AOL. Full details of over 10,000 e-mail accounts were published on a specialist website for developers on October 1. As reported yesterday, the list was believed to comprise Microsoft Hotmail accounts, but it has since emerged that users of other e-mail services, such as Google’s Gmail, may also have had their passwords stolen. Microsoft is investigating how a hacker apparently accessed more than 10,000 accounts with addresses ending hotmail.com, msn.com and live.com. The details were posted on a site used by technology experts last week but have since been removed. A Microsoft spokesman confirmed that the details were obtained as a result of a phishing scam. “We are working diligently to help customers regain control of their accounts,” he said. In a statement, the company said: "We are aware that some Windows Live Hotmail customers’ credentials were acquired illegally by a phishing scheme and exposed on a website. Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation. As part of that investigation, we determined that this is not a breach of any Microsoft servers. Subsequently we are taking measures to block access to all of the accounts that were exposed and have resources in place to help those users reclaim their accounts."

In a statement today, Google said: "We recently became aware of an industry-wide phishing scheme through which hackers gained user credentials for web-based mail accounts including Gmail accounts. As soon as we learned of the attack, we forced password resets on the affected accounts. We will continue to force password resets on additional accounts when we become aware of them. "This is not a breach of Gmail security, but rather a scam to get users to give away their personal information to hackers. Once the attackers gain user credentials, they can easily access and modify the affected accounts as they desire. This may include changing a user's contact list, altering the inbox, or even deleting the account. We recognise how many people depend on Gmail, and we strive to make it as secure as possible by consistently fighting spam and providing security features to users. To keep your Google account secure online, we recommend you only ever enter your Gmail sign-in credentials to web addresses starting with https://www.google.com/accounts, and never click-through any warnings your browser may raise about certificates. We also provide the option to run Gmail sessions using https and strongly encourage users to update their secondary email address and SMS recovery option in case their account is compromised."

Phishing is a process where members of the public are duped into handing over their personal details, such as user names, passwords and credit card details. Victims send the information by e-mail to people posing as banks or online stores. Data can also be stolen by infecting a person’s personal computer with viruses and then raiding it for information. If you are concerned about the safety of your account, you should log in as soon as possible and change your password. If you cannot log in, your password may have been stolen and changed by an unauthorised user.

If you believe that your Microsoft account has been compromised, you should follow this link to the company’s help page.

If you believe your Gmail account is at risk, you should head to this page.

Tom Warren, a writer on Neowin.net, the technology blog that first revealed the breach, said that most of the compromised Hotmail passwords were from Europe, suggesting that many British addresses could have been among those compromised. Hotmail has more than 14 million users in Britain - around five million more than its closest rival, Yahoo! Mail - and about 28 per cent of the total users of webmail services, according to Nielsen figures. Social networking sites such as Twitter were abuzz with the reports, with users advising each other to change their e-mail passwords immediately.

Lukas Oberhuber, chief technical officer of the online specialist the Forward Internet Group, said: "Phishing attacks, such as the one that has now spread to Gmail, are almost impossible to stop because they convince victims they are inputting their private details into a safe website. It's all about convincing people, which scammers have been doing forever. "Phishing has been going on for years, so these compromises are no surprise. At the same time, the attacks get more and more sophisticated all the time. All the latest versions of the major browsers, Internet Explorer, Firefox and Safari, have in-built phishing protection. The problem is, it doesn't work for phishing websites they don't know about."

Microsoft is the latest in a long line of big organisations, from the UK Government to major banks, to have been faced with internet security breaches recently. Earlier this year The Times revealed that around four million British identities had been stolen and made available on the web. Lucid Intelligence, a British company, had intercepted highly sensitive financial information, including credit card details, bank account numbers, telephone numbers and even PINs, all of which had been made available to the highest bidder. In 2007 the personal and bank details of 25 million people — almost every child in the country, as well as their parents and carers — were lost by HM Revenue & Customs. The information went missing when two CDs containing the details were mislaid.

[Cheba_Mami]

Be careful, change passwords weekly.