Windows Live team blog archive

Update: Impacted accounts were secured to prevent unauthorized access and the majority of the accounts were returned to their rightful owners through our account recovery process. If you are still having issues accessing your account please follow the instructions below.  Thank you for your patience.

—

As of 3pm PT: We want to provide a quick update, that as a result of our investigation we are taking measures to block access to all of the accounts that were exposed and have resources in place to help those users reclaim their accounts.

If you believe your information was documented on the illegal list, please fill out the following form to reclaim access to your account.

—

Over the weekend Microsoft learned that several thousand Windows Live Hotmail customers’ credentials were exposed on a third-party site due to a likely phishing scheme. Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers. As part of that investigation, we determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts.

Phishing is an industry-wide problem and Microsoft is committed to helping consumers have a safe, secure and positive online experience. Our guidance to customers is to exercise extreme caution when opening unsolicited attachments and links from both known and unknown sources, and that they install and regularly update their anti-virus software.”  If you believe you’ve been a victim of a phishing scheme, it’s very important that you update your account information and change your password as soon as possible. More information on what to do is available on this page at our support community.

Microsoft recommends customers use the following protective security measures:

• Renew their passwords for Windows Live IDs every 90 days
• For administrators, make sure you approve and authenticate only users that you know and can verify credentials
• As phishing sites can also pose additional threats, please install and keep anti-virus software up to date

Answers to a few general questions about phishing scams

Q: What should you do if you fall victim to a phishing scam? How should you respond? What steps should you take?

A: If you think that you may have responded to a phishing scam with personal or financial information or entered this information into a fake website, you should take four key steps: (1) report the incident to the proper authorities, (2) change the passwords on all your online accounts, (3) review your credit reports and your bank and credit card statements, and (4) make sure you are using the latest technologies to help protect yourself from future scams.

1. For the first step:
   • If you have given out your credit card information, contact your credit company right away. The sooner a company knows your account may have been compromised, the easier it will be for them to help protect you.
   • Next, contact the company that you believe was forged. Remember to contact the organization directly, not through the e-mail message you received. Or call the organization’s toll-free number and speak to a customer service representative. For Microsoft, call the PC Safety hotline at:
     1-866-PCSAFETY.
   • Then, report the incident to the proper authorities. Send an e-mail to spam@uce.gov to report it to the Federal Trade Commission and to reportphishing@antiphishing.org to report it to the Anti-Phishing Working Group.
2. The second step is to change the passwords on all your online accounts. The reason for this is that a lot of people use the same password for multiple accounts. Start with passwords that are related to financial institutions or personal information. If you think someone has accessed your e-mail account, change your password immediately. If you’re using Hotmail, go to: http://account.live.com.
3. The third step is to review your bank and credit card statements and your credit report monthly for unexplained charges, inquiries or activity that you didn’t initiate.
4. Finally, make sure you use the latest products, such as anti-spam and anti-phishing capabilities in e-mail services, phishing filters in Web browsers and other services to help warn and protect you from online scams.

Q: How can I recognize an e-mail scam?

A: There are several signs you should look for to identify a phishing e-mail: (1) Does it ask you to send your personal information? (2) Is it poorly worded or does it have typos? (3) Does it contain convincing details about your personal information? (4) Does it use phrases like “verify your account” or “you’ve won the lottery?”

• Any e-mail asking for your name, birth date, social security number, e-mail username, e-mail password, or any other type of personal information, no matter who the e-mail appears to be from, is almost certainly a scam.  Microsoft and most other businesses do not send unsolicited e-mail requesting personal or financial information.
• E-mails that are poorly worded, have typos, or have phrases such as "this is not a joke" or "forward this message to your friends" are generally scam e-mails.
• Phishing mail often includes official-looking logos and other identifying information taken directly from legitimate Web sites, and it may include convincing details about your personal information that scammers found on your social networking pages.
• A few phrases to look for if you think an e-mail message is a phishing scam are:
  • "Verify your account."
  • "If you don’t respond within 48 hours, your account will be closed."
  • "You have won the lottery.”

Q: What should people do if they think they have received a phishing e-mail?

A: If you think you may have received a phishing e-mail, you should take three steps: (1) take some time to check up on it and do not click on a link or give out your personal information, (2) make sure you have created a strong password for your account and (3) report the phishing scam.

• The most important thing to remember is do not click on the link or give out your personal information.  It is possible for your computer to become infected with malicious software simply by visiting a phishing site – without you even realizing it. If you receive a questionable e-mail, take some time and check up on the information. Often sites like snopes.com list common e-mail scams.  Go to that website of the company you received the e-mail from and contact their customer service reps via phone or online to verify the validity of the e-mail.
• Another thing you should do is create a strong password for your e-mail account by using more than 7 characters and having a combination of upper and lower case characters, numbers, and special characters, like the @ or # symbols. It’s also a good idea to change your password on a regular basis. The next time you change your Hotmail password, you can check “make my password expire every 72 days” to remind you to change it.
• Finally, help us identify new scams. If you use Hotmail and received a phishing e-mail, you can select the dropdown next to "Junk,” and select "Report phishing scam.” Whatever you do, do not reply back to the sender. You should also report phishing scams to the Anti-Phishing Working Group by e-mailing them at reportphishing@antiphishing.org.

Q: How common is this scam?

A: The most recent version of Microsoft’s Security Intelligence Report (Volume 6) shows that more than 97 percent of e-mail messages sent over the Internet are unwanted: They have malicious attachments, are phishing attacks, or are spam.

Q: Is Microsoft taking any proactive steps to prevent this from happening?

A: To help protect people from phishing attacks, Microsoft is providing education and guidance to customers, collaborating with other technology leaders, businesses and governments and supporting law enforcement actions against phishers.

• We provide guidance and information to customers about how to stay safe online at www.microsoft.com/protect and work with others in the industry and governments to educate people on online threats and safety tips.
• From a technology perspective, because so much phishing comes from spammers, our Hotmail spam filter, called SmartScreen, blocks over 4.5 billion unwanted e-mails per day by distinguishing between legitimate e-mail and spam.
• The Microsoft Phishing Filter, which is free as part of Internet Explorer 7, Internet Explorer 8, Windows Vista and as an add-on for the Windows Live Search Toolbar, also helps protect people from phishing attacks by identifying suspicious or confirmed phishing sites and warning customers before they reach them.
• Law enforcement also plays a big role here. Microsoft has supported 191 enforcement actions against phishers worldwide.  These include civil lawsuits filed by Microsoft, as well as civil and criminal actions by international government and law enforcement agencies for which Microsoft made referrals and subsequently provided support. 
• Microsoft is a founding member of the Anti-Phishing Working Group, a cross-industry association focused on preventing phishing. Microsoft also actively participates in DigitalPhishNet, an alliance between law enforcement and industry leaders in a variety of sectors, including technology, banking, financial services, and online auctioneering.  The group is focused on assisting law enforcement in apprehending and prosecuting those responsible for committing crimes against consumers through phishing. 

Q: Shouldn’t Microsoft be doing more to protect people from phishing?

A:  Combating phishing requires involvement from technology leaders, businesses operating online, law enforcement and governments. Microsoft plays a leading role in the Anti-Phishing Working Group, provides technologies to protect people from phishing and assists law enforcement to bring prosecutions against online criminals.