Potential Phishing Attack Exposes Hotmail Accounts

On Monday morning, Internet pirates posted more than ten thousand Hotmail accounts online.  In a demonstration of their ability to obtain sensitive information, the attackers displayed the usernames and passwords needed to access a Hotmail account, for accounts listed in alphabetical order and beginning with ‘A’ and ‘B.’

About 5,500 accounts were revealed for each of the two letters.  An extrapolation of this data presents a surmise that a total of approximately 143,000 accounts were violated, if the attackers have similar numbers of account numbers for all 26 letters of the alphabet.

Initially, the suspicion was that the source of the breach was the central Microsoft network, which hosts Hotmail.  The attackers were presumed to have stolen directly from the network, or perhaps found a way to leak the information from it indirectly.  The surmise was deemed unlikely, however, once analysts calculated that the suggested number of intercepted accounts amounted to only 3.5 percent of Hotmail’s over 400 million accounts.

A spokeswoman for Microsoft stated via email to Computerworld that they “determined this was not a breach of internal Microsoft data,” and they implemented a standard process which they use to assist their customers in regaining security for their accounts.

The next most likely scenario, if the spokeswoman was reporting accurately, is that the attackers compiled the list of Hotmail accounts through a phishing attack.  Such an attack, if it took place, would be among the largest recorded phishing attacks, if measured by the number of accounts that were breached.

With attacks of this nature becoming more widespread, it pays to have safeguards in place to protect against them.  These five precautions can help to protect potential victims from phishing scams.

1. Be Cautious. The best bet is to play it safe when considering whether a message is legitimate.  If it is not completely certain, better to assume it is not on the level.  It is never a good idea to provide sensitive information such as account numbers, passwords, or user names via email, and if a message is at all suspicious it’s safer not to reply to it.
2. Initiate Contact. Better still, play it safe and never click embedded links, or respond to email, that relates to personal or account information.  The safest way is to use the phone and call the company directly.  If a number is not available, it’s a good precaution to close the received email and open a new message to the sending company, using the contact information listed in the email – which might not be the email address the suspicious message came from.
3. Look Closely At Your Statements. When bank statements come in, look over them carefully in search of any suspicious transactions or unrecognized activity.  The financial institution in question should be contacted immediately if any problems are detected.
4. Update Web Browsers. Internet Explorer 8, Firefox 3.5, and other new-generation web browsers have phishing protection built into the system.  The browser will pick up on sites that could compromise user security, and provide advance warning.
5. Report Any Attack. If a phishing attack is suspected, report it right away to the ISP.  At the same time, report any suspected phishing attack to the FTC, or Federal Trade Commission.  They can be reached via email at www.ftc.gov.