Seen on Reddit:
Earlier today I received one of those run-of-the-mill phishing emails. I opened the url that the email wanted me to open, but leaving out the .php file in the end.
At the directory, among other files belonging to the infected server was a .zip file, and inside it a .txt with 47130 email;password pairs. At first I thought it was just a list of “targets” to send the phishing spam to, but it was actually real people’s account information that was being used to send out the emails. Or that’s my guess. All of them are either from hotmail.com or msn.com.
I wrote a Python script to test if the accounts were still valid without actually looking into these people’s emails, and what I found was this:
This script has been running for about 2 hours now, and about 85% of the credentials I’ve tested are still valid.
What do I do now? Emailing all these people is probably out of question, but I’d feel bad to leave all these emails almost up for grabs.
Edit: I aborted the script at about 2k logins, it was enough proof that the credentials were fresh and valid. Internet regulation in my country is abysmal and I’m mostly sure none will come of it. I posted this to see if I would be able to help the people who had their credentials stolen, not to be repeatedly told to SHUT DOWN EVERYTHING. I know the risks.
Edit2: Just finished talking to Microsoft. They have the list. The server hosting the files has been down for at least 2 hours, I don’t know if it’ll ever come back. Guys at Microsoft were extremely nice, and it also felt like I had actually done something.
Mission accomplished, I guess? Thanks, guys.
So from what database(s) was/were those data acquired? We don’t know.
When were they acquired? We don’t know that, either.
Did any of the people whose data were acquired ever receive notifications of a breach involving their passwords? We don’t know that, either, but if you got a notice that your password had been acquired, wouldn’t you change it? The fact that over 80% of the passwords still work suggests that this was a breach or breaches that were either never detected or never disclosed. That’s not good.
In any event, kudos to the OP who was trying to alert people that their passwords had been compromised and that their e-mail accounts were at risk.
Will Microsoft send courtesy alerts to those whose data were compromised? I hope so.