As reported elsewhere, approximately 10,000 username-password combinations were posted to Pastebin earlier today. Quite a few analyses of the results have been posted, but the actual list was pulled from Pastebin.
A few things haven't been reported yet:
A few things haven't been reported yet:
- The data looks like it came from a Trojan or through a man-in-the-middle attack, because there are multiple entries for specific user account names. (It looks like someone typed their password wrong a few times before getting it right.)
- From a quick glance, it looks like none of the passwords were hashed. As mentioned in this article, you should consider using tool like Password Hasher to pre-hash your password before it is submitted.
- Only accounts with usernames that fall between ara... and bla... were included in the list, so if your username was outside of that range, it wasn't on the list. (But read the next item!)
- This list contains 10,027 accounts (actually only 9360 unique ones), but statistically, the list only covers between 1.6% and 3.1% of the possible space of usernames (depending on whether Hotmail accounts can start with a digit), so it's safe to assume that between 300,000 and 600,000 accounts were actually compromised, and the attacker only posted this subset.
- Get a good anti-virus/anti-malware program. There are plenty of free ones, including Trendmicro's Housecall, Bitdefender's Online Scanner, annd CA's Threat Scanner.
- Change your passwords, and don't use any of the common passwords.
Leave a comment