More than 10,000 compromised Hotmail accounts were posted online this morning by attackers to demonstrate their success in capturing the sensitive information. The credentials displayed, including the username and password combination necessary to access the account, included accounts starting with letters ‘A’ and ‘B’ in alphabetical order.
There were approximately 5,500 accounts displayed for each letter. Assuming the attackers have a similar number of accounts for each letter of the alphabet, it suggests a total number of compromised accounts somewhere around 143,000.
It was initially thought that the information may have been leaked or stolen directly from the Microsoft network where Hotmail is hosted. However, based on the mathematical inferences above, the total number of accounts stolen only represents about 3.5 percent of the over 400 million registered Hotmail accounts.
According to Computerworld, a Microsoft spokeswoman stated “We determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts” in an e-mail response.
Assuming that is true, the next most logical choice on the Occam’s Razor flowchart of data breach troubleshooting suggests that the information was gathered via a phishing attack. If so, it would be one of the largest such phishing attacks in terms of the total number of accounts compromised.
Here are 5 simple steps you can follow to avoid becoming a victim of a phishing attack:
1. Be Skeptical: It is better to err on the side of caution. If you are not 100% positive that a message is legitimate, assume it is not. You should never supply your username, password, account number or any other personal or confidential information via email and you should not reply directly to emails you feel may be suspicious.
2. Contact Directly: Even better than being skeptical is to simply never reply to emails or click on links related to your account information. Pick up the phone and call them up, or at least shut down the questionable email and initiate your own separate email communication to the company in question at its listed customer service account information.
3. Analyze Statements: Make sure you scrutinize your bank statements and account information to identify any suspicious activity or questionable transactions. If you find any problems contact the company or financial institution in question immediately to notify them.
4. Use Current Web Browser: The latest generation web browsers, such as Internet Explorer 8 and Firefox 3.5 come with built in phishing protection. The browser is able to identify many potentially malicious sites and warn you in advance.
5. Report Attacks: If you think you may be the target of a phishing attack you should report the suspicious activity. Report suspicious emails to your ISP and also report suspected phishing attacks to the Federal Trade Commission (FTC) at www.ftc.gov“.
Tony Bradley is an information security and unified communications expert with more than a decade of enterprise IT experience. He tweets as @PCSecurityNews and provides tips, advice and reviews on information security and unified communications technologies on his site at tonybradley.com .