Microsoft acknowledges Live ID accounts breach
Yesterday, Neowin's Tom Warren discovered a list of what appeared to be Windows Live Hotmail account credentials, posted last weekend to a location where you wouldn't expect such a list to appear: a collaborative debugging code sharing site for low-level software developers called pastebin.com. Warren reported the news to the world at the same time he reported it to Microsoft.
Still, Microsoft acknowledged the problem late yesterday, but attributed the source of the problem to "a likely phishing scheme." If such a scheme does exist, then its first victim today was poor pastebin.com, whose proprietor Paul Dixon (LordElph) was forced to take the site offline due to the sudden surge of activity.
"Pastebin was created as a tool to aid software development, not to distribute this sort of material," Dixon wrote today, on a blog which itself has seen so much activity that its page refreshes were agonizingly slow. "As a result of the interest this story is generating, pastebin.com is experiencing huge levels of activity -- as a result I've taken it offline while I ensure all the offending material has been removed, and that the abuse filters prevent re-occurrence."
Members of the site offered support; one member offered to mirror pastebin's legitimate content to help ease the load. As of this morning, the site was only occasionally visible.
Individuals who saw the list reported that it appeared to contain the first 10,028 username/password combinations in a much longer list, sorted alphabetically. Only usernames beginning with A and parts of B were shown.
Microsoft's take on the incident is that it was probably a demonstration by someone who had acquired the credentials by way of a phishing scheme -- for example, a fake message that appears to be from Microsoft or a partner that asks users to "sign in using your Windows Live ID" to gain access to an e-mail solicitation. The other possibility -- one which Microsoft did not raise -- is that the list was obtained by a hacker who was able to snag servers into spilling the list through some administrator-level command or script.
In either event, Microsoft is taking the easier approach for mitigation: advising Live ID users to change their passwords, and to continue to do so every 90 days.