| Neowin.net is reporting that over 10,000 usernames | | | | seems likely this may be related. |
| and passwords were publicly disclosed from users of | | | | Computer World reported that this may be a similar |
| hotmail.com, msn.com, and email services. All of the | | | | attack to the one that disclosed private emails of vice |
| accounts initially posted begin with the letter a or b, | | | | presidential candidate Sarah Palin during last years U.S. |
| suggesting that this may be the tip of the iceberg. | | | | election. I find this to be highly improbable. |
| BBC News contacted Microsoft and was able to | | | | To compromise 10,000 or more accounts in an |
| confirm the validity of the accounts that were | | | | apparently serial manner would not be practical by |
| released. | | | | guessing security questions. It is far more likely an that |
| Microsoft has released a public statement saying their | | | | users were duped into providing their passwords to a |
| investigation determined the IDs were stolen through a | | | | fraudulent website posing as Microsoft or an affiliate. |
| phishing attack. | | | | My recommendation for users of Microsoft's online |
| Part of their statement said "As part of that | | | | services is to change your passwords immediately. |
| investigation, we determined that this was not a | | | | You are better to be safe than sorry, and password |
| breach of internal Microsoft data and initiated our | | | | rotation is something we are often too lazy to do. |
| standard process of working to help customers regain | | | | This is a great time to log into those Facebook, Twitter, |
| control of their accounts." | | | | Gmail, and Yahoo! accounts and do likewise as a |
| This raises the question of how many people fell victim | | | | simple best practice to prevent yourself from |
| to this attack, and is it still underway? I may not be able | | | | becoming a victim of habit. |
| to answer these questions, but with over 10,000 | | | | Password rotation is not fun, but it is a great |
| accounts exposed from the first 2 letters of the | | | | preventative to these types of disclosures. |
| alphabet the scope of this fraud could be very large. | | | | If you are an IT administrator this would be a great |
| Users who have followed Graham's advice about | | | | time to remind your users to change their Microsoft |
| using separate passwords for each site they use will | | | | Live!, MSN, and Hotmail passwords. |
| minimize their exposure to just Microsoft's online | | | | Additionally, as always, be sure your anti-spam |
| services. | | | | protection is current and educate your users about |
| Another question is what Microsoft means by "due to | | | | phishing and clicking links in email. Sophos Web |
| a phishing scheme". Was this another view your | | | | Appliance customers have been protected against the |
| blocked MSN friends website, or was it a direct phish | | | | MSN friends scam for some time now, however |
| of an impostor Hotmail login page? SophosLabs | | | | technology and education are always the best solution. |
| blogged about these attacks early in September, and it | | | | |