Recently, someone posted a list of 10,000 stolen Windows Live / Hotmail credentials to pastebin (the list has since been removed). This was followed by the discovery of additional lists which reportedly upped the number of victims to 20,000 and expanded to also include credentials from Google Gmail, Yahoo, AOL, and other online services. Phishing has been widely cited as the cause, but is it really that simple?

A couple of months back, ScanSafe came across a cache of stolen credentials, including usernames and passwords for over 6,000 unique FTP sites. Based on how the stolen data was organized, it seemed clear this was not the work of a phish or other social engineering scam, but rather was caused by a malware infection - i.e. password harvesting, keystroke logging, and/or man-in-the-middle attacks.

The stolen data was organized by the victim's Windows Live ID (where applicable), followed by usernames and passwords (and the URL) for secure websites the victims visited. This was listed by browser type (either Firefox or Internet Explorer) and included any FTP usernames and passwords. Next were the individual victim's credentials associated with other Internet-enabled apps/services they used, including Steam, Trillian, Outlook, and Google Talk. A separate list containing just FTP credentials was also discovered.

Ironically, a great many of the victims were using strong passwords and different passwords for each account or type of account. But despite their attention to password management, the introduction of malware to the system overcame those efforts.

Most disturbingly, we came across the cache of stolen credentials quite by accident - the stolen data was posted in a plain view on a now defunct hacker website. We found it while doing an unrelated Google search. Presumably others could have as well.

ScanSafe made every attempt to contact the victims and did not publish details at the time. We also reported the site to the appropriate parties. Our hope was to minimize curiousity seekers from gaining copies of the compromised credentials. We're mentioning it now to underscore that phishing may not be the root cause of the recent Hotmail, Gmail, Yahoo and other webmail account exposures discovered this week. It's important that victims consider the possibility their systems have been infected with password stealing malware and that more than their webmail accounts may have been exposed.