RSSMicrosoft acknowledges Live ID accounts breach
By Scott M. Fulton, III | Published October 6, 2009, 10:29 AM
Yesterday, Neowin's Tom Warren discovered a list of what appeared to be Windows Live Hotmail account credentials, posted last weekend to a location where you wouldn't expect such a list to appear: a collaborative debugging code sharing site for low-level software developers called pastebin.com. Warren reported the news to the world at the same time he reported it to Microsoft.
Still, Microsoft acknowledged the problem late yesterday, but attributed the source of the problem to "a likely phishing scheme." If such a scheme does exist, then its first victim today was poor pastebin.com, whose proprietor Paul Dixon (LordElph) was forced to take the site offline due to the sudden surge of activity.
"Pastebin was created as a tool to aid software development, not to distribute this sort of material," Dixon wrote today, on a blog which itself has seen so much activity that its page refreshes were agonizingly slow. "As a result of the interest this story is generating, pastebin.com is experiencing huge levels of activity -- as a result I've taken it offline while I ensure all the offending material has been removed, and that the abuse filters prevent re-occurrence."
Members of the site offered support; one member offered to mirror pastebin's legitimate content to help ease the load. As of this morning, the site was only occasionally visible.
Individuals who saw the list reported that it appeared to contain the first 10,028 username/password combinations in a much longer list, sorted alphabetically. Only usernames beginning with A and parts of B were shown.
Microsoft's take on the incident is that it was probably a demonstration by someone who had acquired the credentials by way of a phishing scheme -- for example, a fake message that appears to be from Microsoft or a partner that asks users to "sign in using your Windows Live ID" to gain access to an e-mail solicitation. The other possibility -- one which Microsoft did not raise -- is that the list was obtained by a hacker who was able to snag servers into spilling the list through some administrator-level command or script.
In either event, Microsoft is taking the easier approach for mitigation: advising Live ID users to change their passwords, and to continue to do so every 90 days.
Jesus H freakin' Christopherus...how disappointing to see a lame titled, misleading article by the Great Scott... Hey Scotty, you're a pretty techie kinda guy, right? Did you bother to find out if MS stores the passwords in (hrrmm ONE WAY) encrypted format on their server? If so, then take Microsoft's name the ph*** OUT OF THE TITLE! It implies they are responsible. 100% of the people who read your BLASPHEMOUS title would jump to the wrong conclusion about our beloved Microsoft!! We must not let anyone think anything bad of our divine company for even a split second!!!
hehehehehe...okay...so I was mostly kidding.
or not.
Anyhoo -- who knows, maybe Microsoft is gay enough to store user passwords unencrypted someplace. Highly doubtful, but even kings have been known to walk around naked in public at times...or so the legends tell. ;)
Score: -2
|Yes, we know all about this
now onto the Google, Yahoo, AOL phish list
which was also confirmed
Score: 0
|Good job MS. Way to take the proactive approach *sarcasm*
Score: -10
|there is no proactive approach due to stupidity of users, just one approach and thats Education.
sadly, the majority never learn
Score: 4
|and btw, change the title of this article, becase as it stands right now there was no 'breach'
whats with trying to make Microsoft look bad? intentional or not
professional journalism people, professional....
remember my offer to be an editor/reviewer? offer still stands *wink
Score: 4
|OR, they could take the list of accounts, and set them up so they HAVE to reset thier passwords. The stupidity of users can not be solved, but the MS can ensure these people's safety. As a service provider you take on a lot of responsibilities, the integrity of your system, and your user's safety are just some of those responsibilities.
Score: -2
|I bet half of the e-mail addresses are like "greatest_grandpa" or "g-ma27". "Oh dear, this e-mail from Microsoft requires that I confirm my log in credentials by following the harmless link."
Score: 0
|whos to say they aren't doing that? i haven't read anywhere that they weren't, the only thing i see in this article is Microsoft advising all Live ID users to change up their passwords every so often, which is common sense practice
Score: 2
|I agree, but it would not take much effort on MS's part to force the user to change thier password on the next log in, only after answering thier security questions. Then at least MS looks like they are trying to do something. Instead they are sitting there with thier hands resting on thier big stomachs twiddling thier thumbs.
Score: -2
|This article certainly doesn't say they are, and that was my point. They are not being proactive, just passing the puck. Even pastebin was proactive.
Score: -3
|you're assuming these folks remember the answer to their security question, big mistake ;P
Score: 2
|Better then letting someone take over thier account. Bigger mistake.
Score: -3
|A little but research mr_rich101 wouldn't hurt.
Microsoft has already confirmed that they disabled access to all the accounts impacted and there is a team of people on Microsoft's side who are working with customers who were impacted so that they can regain access to their accounts.
Score: 3
|"Microsoft said the passwords had been removed from the offending website, which it did not identify, and said it had blocked access to all affected accounts and was helping users to reclaim their Hotmail accounts.
The software company said the exposure of the passwords was not a breach of any Microsoft servers. " - reuters
Score: 1
|Thank you for clearifying that. The only free time I have between projects and testing is spent on engadget and beta news. So, any details left out in betanews articles is information I don't get.
Score: -3
|please explain how that would work?
Score: 0
|