40,000+ Email Addresses And Passwords Discovered On Phishing Site
Over 40,000 Hotmail and MSN email addresses, along with passwords, have been discovered on a phishing Web site. Read about the incident here.
You know those spam emails that ask you to provide your username/password credentials for your bank, email, Facebook, or otherwise? Well, one user on Reddit decided to take a closer look at the Web site of a link included within one of those emails, and what they ultimately found was a text file filled with ~47,000 email addresses and passwords belonging to Hotmail and MSN users.
Though it’s unclear as to if these were successfully-phished email addresses or email addresses being used solely to send out phishing emails, the individual on Reddit wrote a script in Python to test the validity of the addresses and found that ~85% out of ~2000 were accessible via the passwords accompanying them. Many of those accounts show inbox activity as well.
In the end, the Redditor reported their find to Microsoft (since Hotmail/MSN are Microsoft services). To quote:
Just finished talking to Microsoft. They have the list. The server hosting the files has been down for at least 2 hours, I don’t know if it’ll ever come back. Guys at Microsoft were extremely nice, and it also felt like I had actually done something.
If you’re a Hotmail or MSN user and you suspect you may be a victim of phishing, it wouldn’t hurt to go ahead and change your password. Overall, this is most likely nothing to be alarmed about; however, these types of lists are far more common than readily meets the eye. With a little bit ofadvanced Google search querying, it’s fairly easy to dig up these lists residing in wide-open directories on phishing Web sites.
Last of note, if you’re curious to see if an email/username of yours has been discovered within any type of list like this that’s gone public, check out pwnedlist.com. They’re a reputable site that currently houses almost 5 MILLION email addresses and usernames in their database that you can check for (assuming you trust they won’t store your email address once you enter it to search for). Needless to say, if an email address or username of yours is confirmed there, you might want to change all associated passwords for that email address/username.