Summary: Mary Landesman from ScanSafe argues that accounts compromise is more likely the result of a combination of phishing and Windows Trojans

Hotmail's E-mail accounts fiasco is one that we wrote about several days ago, but there is more to the news than was initially reported. The whole thing apparently began with a disclosure at Microsoft's pet site, Neowin.

Yesterday, Neowin's Tom Warren discovered a list of what appeared to be Windows Live Hotmail account credentials, posted last weekend to a location where you wouldn't expect such a list to appear: a collaborative debugging code sharing site for low-level software developers called pastebin.com. Warren reported the news to the world at the same time he reported it to Microsoft.

IT Pro has this important update which suggests the incident has symptoms of Trojans, not just phishing.

Landesman said that there were a lot of indicators in the password lists that are consistent with data theft rather than phishing.

Microsoft conveniently blames phishing attacks, which too are enabled by Windows botnets (brute force), as we noted some days ago. Another interesting factoid is to do with how Microsoft handled the problem. Reports suggest that Microsoft blocked the compromised accounts, but Heise contradicts this:

Contrary to previous statements, Microsoft and Yahoo have by no means blocked all the accounts whose access credentials were recently published on the internet. On the list, The H's associates at heise Security found several Hotmail and Yahoo accounts that are still accessible and seem to show some suspicious activity.

It's not just Hotmail that's being compromised. Microsoft claims that Xbox Live (specifically Modern Warfare 2) has the same type of problem at the moment.

Unfortunately, some individuals are trying to take advantage of the hype from the upcoming title by scamming Xbox Live users to reveal their passwords to their accounts.

Given this obvious incompetence, how come Ohio lets Microsoft inherit control of university accounts? This is a recipe for trouble. From the press release.

Ohio Board of Regents Chancellor Eric D. Fingerhut today announced at the University System of Ohio Efficiency Council meeting, an agreement between the University System of Ohio's technology infrastructure and operations arm, OARnet, and Microsoft Corporation that will leverage the System's group purchasing power to bring additional messaging solutions to Ohio's higher education and K-12 communities.

This is just the latest example of the Live@edu scam in action. It's about imprisoning students [1, 2, 3]. ⬆

"Like almost everyone who uses e-mail, I receive a ton of spam every day. Much of it offers to help me get out of debt or get rich quick. It would be funny if it weren't so irritating."

--Bill Gates