DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Reddit, I just came across a list of about 47k emails and passwords.

Posted on November 13, 2011 by Dissent

Seen on Reddit:

Earlier today I received one of those run-of-the-mill phishing emails. I opened the url that the email wanted me to open, but leaving out the .php file in the end.

At the directory, among other files belonging to the infected server was a .zip file, and inside it a .txt with 47130 email;password pairs. At first I thought it was just a list of “targets” to send the phishing spam to, but it was actually real people’s account information that was being used to send out the emails. Or that’s my guess. All of them are either from hotmail.com or msn.com.

I wrote a Python script to test if the accounts were still valid without actually looking into these people’s emails, and what I found was this:

http://i.imgur.com/FjV3g.png

This script has been running for about 2 hours now, and about 85% of the credentials I’ve tested are still valid.

What do I do now? Emailing all these people is probably out of question, but I’d feel bad to leave all these emails almost up for grabs.

Edit: I aborted the script at about 2k logins, it was enough proof that the credentials were fresh and valid. Internet regulation in my country is abysmal and I’m mostly sure none will come of it. I posted this to see if I would be able to help the people who had their credentials stolen, not to be repeatedly told to SHUT DOWN EVERYTHING. I know the risks.

Edit2: Just finished talking to Microsoft. They have the list. The server hosting the files has been down for at least 2 hours, I don’t know if it’ll ever come back. Guys at Microsoft were extremely nice, and it also felt like I had actually done something.

Mission accomplished, I guess? Thanks, guys.

So from what database(s) was/were those data acquired? We don’t know.

When were they acquired? We don’t know that, either.

Did any of the people whose data were acquired ever receive notifications of a breach involving their passwords? We don’t know that, either, but if you got a notice that your password had been acquired, wouldn’t you change it? The fact that over 80% of the passwords still work suggests that this was a breach or breaches that were either never detected or never disclosed. That’s not good.

In any event, kudos to the OP who was trying to alert people that their passwords had been compromised and that their e-mail accounts were at risk.

Will Microsoft send courtesy alerts to those whose data were compromised? I hope so.

No related posts.

Category: Breach Incidents

Post navigation

← Duqu Virus More Serious Threat Than Previously Thought
video of steam servers getting DoS by @TehWongZ →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)
  • Nigerian National Pleads Guilty to International Fraud Scheme that Defrauded Elderly U.S. Victims
  • Nova Scotia Power Data Breach Exposed Information of 280,000 Customers
  • No need to hack when it’s leaking: Brandt Kettwick Defense edition
  • SK Telecom to be fined for late data breach report, ordered to waive cancellation fees, criminal investigation into them launched
  • Louis Vuitton Korea suffers cyberattack as customer data leaked
  • Hunters International to provide free decryptors for all victims as they shut down (2)
  • SEC and SolarWinds Seek Settlement in Securities Fraud Case

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t
  • Oregon Amends Its Comprehensive Privacy Statute

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.