Scammers who put together a list of 10,000 stolen Hotmail passwords may also be responsible for collecting 20,000 passwords from other e-mail providers. AOL, Comcast, Earthlink, Gmail and Yahoo are all said to be affected.

Microsoft confirmed last night that some passwords for Windows Live and Hotmail had been listed on a Web site. That site was pastebin.com, a site primarily used by legitimate developers to share code. A document posted there contained details of 10,028 e-mail accounts, some of which have been confirmed as genuine. As only names beginning with A & B were in the list, it seems likely there is a much wider list of details in the wrong hands.

With Microsoft saying its investigations shows no breach of its internal data systems, the most likely explanation is a phishing scam. Neowin notes a theory linking the names on the list to a bogus message telling Windows Live Messenger users that they had been blocked by a friend and asking for their log-in details before revealing who that friend was.

The BBC is now reporting that it saw a second document on pastebin.com, this time containing details for e-mail accounts from multiple providers. It says the list is a mix of genuine current details and bogus or lapsed accounts. There’s no detail of whether this list is connected to the original, though if the Windows Live Messenger theory is correct it seems unlikely.

Pastebin.com has now been taken offline for maintenance after an “unprecedented amount” of traffic. Its owner says he has deleted the relevant files.

While the odds of being on these lists may be small, it’s probably worth changing your e-mail passwords today. But beyond that, the incident should serve as a reminder of two important principles of online security: change your passwords regularly and avoid using the same log-in details for multiple sites.

Related:

Entry was posted on Tuesday, October 6th, 2009 at 10:23 am under Google, Microsoft, Scams, Security, Yahoo!.

Read more entries by John Lister.
Stumble It!