Microsoft has confirmed reports that Hotmail accounts were compromised. These account credentials were stolen using a phishing attack, which means they were stolen from users rather than from Microsoft websites. The accounts were posted on October 1st to pastebin.com. The accounts included Windows Live Hotmail accounts with email addresses ending in hotmail.com, msn.com and live.com.
If you do not know what phishing is, I wrote a short tutorial on it some time ago. The attack involves getting users to click on a link to a website that looks like a legitimate site that the user knows. Once there, a login screen is usually presented to the user and when the user provides credentials, they are stored and then misused by the attacker.
The most common method of sending the links to users is in an email. But there have been instances where the attackers have set up legitimate looking sites that have malicious links embedded in them. Another method that has been used is to break into legitimate sites and embed links to malicious sites. I have also written earlier about how shortened URLs make it easier for attackers.
The best way of not becoming a victim of a phishing attack is to not click on links in emails without seeing where they point to. If you become a victim or suspect that you have become a victim of a phishing attack, change your passwords on the accounts immediately. Always keep email-ids for all your accounts updated. If there is a problem, you will be notified by email and if you dont access that email account anymore, you will never know about the problem.