[nsp-sec] Compromised email account list

[Smith, Donald]

They have been reposted here.
Not sure if this is the same list but it matches the description provided in the news.

http://pastebin.ca/1597228
http://pastebin.ca/1597244
http://de.pastebin.ca/raw/1597629


I think it was a key logger or phishing attack based on the unusual pattern of usernames and passwords in the posted text.

http://pastebin.ca/1597228# 
Looking at the username and passwords I see some that would NOT have worked as usernames/passwords for hotmail.

Here is one that appears to have had the caps lock key down while typing the password.

bixi_sergio at hotmail.com:candado
bixi_sergio at hotmail.com:CANDADO

Hum not a hotmail account at least not a full account:)
bj:black
bizi30:setupe
biutifool_1525hotmail.com:1919365
bithotmail.comxia25@:atico14
bisandoval:gorigori7

looks like these users typo'ed their username at least one time.

bishwash_believe at Hotmail.com:poonam
bishwash_belive at Hotmail.com:poonam

biro1970 at hotmail.com:micasa
biro1970hotmail.com:micasa

biolokita_ at hotmail.com:crismalu
biolokita_hotmail.com:crismalu


billy_niche at hotmail.com:ecuador
billy_niche at htomail.com:ecuador


I don't believe you can compromise something other the the users trust/keyboard and see typos:)

So this was either a phishing attack or a keylogger either are possible.
I am leaning towards the keylogger because the better phishing attack tools wouldn't have accepted some of the inputs above:)

It was NOT a compromise of backend databases or similar vulnerability.

(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia   

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Greg Schwimer
> Sent: Tuesday, October 06, 2009 2:42 PM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] Compromised email account list
> 
> ----------- nsp-security Confidential --------
> 
> Does anyone have a copy of the list mentioned in the article 
> below handy?
> 
> http://mashable.com/2009/10/06/gmail-accounts-exposed/
> 
> We're looking to cross reference this info with our customer 
> base to help our 
> customers get their passwords reset.
> 
> Greg Schwimer
> GoDaddy.com, Inc.
> 480.366.3636
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
>