A quick heads-up to all users of Microsoft’s Windows Live Hotmail email service: a list of at least 10,000 user names (and the corresponding passwords) of the second-largest email service after Yahoo has been leaked online. The list first appeared on the Pastebin website, which is normally used by programmers to share source code.

Microsoft has confirmed that the list is authentic. They have also said that their databases were not actually breached; if this is correct this means the list was gathered using conventional phishing attacks. Users who believe their accounts have been compromised may fill out this online Microsoft form to recover their account.

Windows Live Hotmail users are strongly advised to change their passwords immediately, as the scale of the overall problem is unknown. As a preventive measure, users should be very careful about entering user credentials in untrusted websites. The Microsoft page above also contains other security recommendations that users should consider.

Phishing sites like the ones that were apparently involved in collecting these credentials are blocked by the Trend Micro Smart Protection Network.

Update as of 6 October 2009, 12:00 PM:

It turns out that this attack is bigger than previously thought, as new lists of compromised email accounts were found posted on the same site where the thousands of Hotmail credentials were initially posted. However the newly posted information were not only consisted of Hotmail accounts, but Gmail, Yahoo!, Comcast, and Earthlink accounts as well. The said information are said to have been acquired in the same way as the previous attack.

The email account credentials were posted at pastebin.com, a website designed as a platform for developers to share code. The website was taken down temporarily by its owner to remove the information. The website is online again as of this writing, but not without a note for its likely very concerned users: Concerned about Hotmail? If you’ve come here after reading about the hotmail leak, see this blog post.