10:41 06 October 2009
A recent major phishing attack directed primarily at Hotmail may be larger than previously thought.
Up to 21 million people and businesses who use the email service in the UK are potentially at risk of being defrauded after passwords were illegally published.
BBC News has reported to have seen a list of more than 20,000 more names and passwords that have been posted online, although the official response from Microsoft was only that "more than 10,000" were compromised.
The list contains e-mail addresses and passwords from Hotmail, Yahoo, AOL, Gmail and other service providers.
An original list of 10,000 Hotmail login details was posted online on a forum site, Pastebin.com.
Some of the accounts appear to be old, unused or even fake. However, many are genuine, posing a major security risk for users.
Phishing involves using fake websites to lure people into revealing details such as bank account details or login names, usually to buy a bogus product or sign up to a non-existent service.
A spokesperson for Microsoft said phishing was an "industry-wide problem".
"Our guidance to customers is to exercise extreme caution when opening unsolicited attachments and links from both known and unknown sources, and that they install and regularly update their anti-virus software."
"Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers. As part of that investigation, we determined that this was not a breach of internal Microsoft data.
"We are working diligently to help customers regain control of their accounts."
Technology blog neowin.net was the first to publish details of the original attack. It said the accounts were posted on October 1 to pastebin.com, a website commonly used by developers to share code.
While the Pastebin website is down for maintenance after being overloaded, its owner, Paul Dixon, told Neowin that it had received "an unprecedented amount of traffic".
"Pastebin.com is just a fun side project for me, and today it's not fun. It will remain offline all day while I make some further modifications."
Users have been urged to change their passwords as soon as possible, but as around 40% of internet users use the same password for every website they use, it is recommended that all login details be reviewed.
Disclaimer: Supanet is not responsible for, and disclaims any and all liability for the content of comments written by contributors to this website