The ideas of cloud-based computing and Web-based applications seem fine and dandy…at least, until a security breach of a clever scammer figures out a way to turn an online service into one-stop shopping for account details and personal information. Microsoft has said that on October 1 perpetrators of a phishing scheme published account details and passwords to more than 10,000 HotMail accounts on the code-sharing Web site pastebin.com. The accounts primarily belong to European account holders and start with the letters A or B; however, there’s no telling whether the posting was all the data perpetrators had, or whether they also have information for accounts C–Z.
Microsoft says it has launched an investigation; pastebin.com took down the material on being informed of its presence. The list of impacted accounts includes addresses not only in the Hotmail.com domain, but also Microsoft’s other online email services msn.com and live.com.
Microsoft is recommending Hotmail users change their passwords both on their Web-based email account but also on any other sites that use the same password. Industry studies find that anywhere form one third to half of computer users re-use passwords on multiple sites or services, which means that a compromised password on one service has the potential to create security problems on other services.
In this case, it appears the attackers obtained the account information via a phishing attack, which falsely asked users to input their Hotmail account information via a fake Web page or Web site.
