Monday, October 05, 2009

Windows Live Hotmail Phishing Scheme

Earlier today, Neowin reported that thousands of Windows Live Hotmail account details were publicly exposed:

“An anonymous user posted details of the accounts on October 1 at, a site commonly used by developers to share code snippets. The details have since been removed but Neowin has seen part of the list posted and can confirm the accounts are genuine and most appear to be based in Europe. The list details over 10,000 accounts starting from A through to B, suggesting there could be additional lists. Currently it appears only accounts used to access Microsoft's Windows Live Hotmail have been posted, this includes, and accounts.”

The Windows Live Team, Windows_Liveconfirmed that the logon account information of several thousand Windows Live Hotmail accounts were exposed on a third-party site. It is believed that this was due to a likely phishing scheme.

Edit to add Windows Live Team Update:

"As of 3pm PT: We want to provide a quick update, that as a result of our investigation we are taking measures to block access to all of the accounts that were exposed and have resources in place to help those users reclaim their accounts.

If you believe your information was documented on the illegal list, please fill out the following form to reclaim access to your account."

If your account was compromised, please see “What to do if you think your account has been stolen”.

The Windows Live Team provided the following steps to take if you are a victim to this or any phishing scam:

Q: What should you do if you fall victim to a phishing scam? How should you respond? What steps should you take?

A: If you think that you may have responded to a phishing scam with personal or financial information or entered this information into a fake website, you should take four key steps: (1) report the incident to the proper authorities, (2) change the passwords on all your online accounts, (3) review your credit reports and your bank and credit card statements, and (4) make sure you are using the latest technologies to help protect yourself from future scams.

  1. For the first step:
    • If you have given out your credit card information, contact your credit company right away. The sooner a company knows your account may have been compromised, the easier it will be for them to help protect you.
    • Next, contact the company that you believe was forged. Remember to contact the organization directly, not through the e-mail message you received. Or call the organization's toll-free number and speak to a customer service representative. For Microsoft, call the PC Safety hotline at:
    • Then, report the incident to the proper authorities. Send an e-mail to to report it to the Federal Trade Commission and to to report it to the Anti-Phishing Working Group.
  2. The second step is to change the passwords on all your online accounts. The reason for this is that a lot of people use the same password for multiple accounts. Start with passwords that are related to financial institutions or personal information. If you think someone has accessed your e-mail account, change your password immediately. If you’re using Hotmail, go to:
  3. The third step is to review your bank and credit card statements and your credit report monthly for unexplained charges, inquiries or activity that you didn’t initiate.
  4. Finally, make sure you use the latest products, such as anti-spam and anti-phishing capabilities in e-mail services, phishing filters in Web browsers and other services to help warn and protect you from online scams.”

As a precautionary step,it is advised that Windows Live Hotmail passwords be changed every 90 days. Instructions for changing your password as well as getting a refresh reminder are available in “Let Hotmail Remind You To Refresh Your Passwords Every 72 Days”.

With the end of the year Holidays approaching, phishing scams will be on the rise. Learn how to Create strong passwords, Protect your Windows Live ID and much more at the Microsoft Online Safety Fraud Prevention web page.

Clubhouse Tags: Security, Password, Windows Live, How-to, Hotmail, Clubhouse, Safety, Phishing, Information

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...



Chris Brown said...

I think its so messed up how people spend time sabotage large websites its not cool I can't stand people who that I had a bad experience when someone got my password to my email account they found my checking information the whole deal it was a nightmare that was not called for.. .

Corrine said...

You're so right, Chris, I am sure it was a nightmare and I am sorry you and so many others have this horrible experience.

In conjunction with the Cyber Security Awareness Month theme, "Our Shared Responsibility" I hope you are sharing your learning with friends and family. There is a wealth of information at Microsoft Online Safety.

Wishing you only good dreams and no more nightmares!