Seen on Reddit:
Earlier today I received one of those run-of-the-mill phishing emails. I opened the url that the email wanted me to open, but leaving out the .php file in the end.
At the directory, among other files belonging to the infected server was a .zip file, and inside it a .txt with 47130 email;password pairs. At first I thought it was just a list of “targets” to send the phishing spam to, but it was actually real people’s account information that was being used to send out the emails. Or that’s my guess. All of them are either from hotmail.com or msn.com.
I wrote a Python script to test if the accounts were still valid without actually looking into these people’s emails, and what I found was this:
This script has been running for about 2 hours now, and about 85% of the credentials I’ve tested are still valid.
What do I do now? Emailing all these people is probably out of question, but I’d feel bad to leave all these emails almost up for grabs.
Edit: I aborted the script at about 2k logins, it was enough proof that the credentials were fresh and valid. Internet regulation in my country is abysmal and I’m mostly sure none will come of it. I posted this to see if I would be able to help the people who had their credentials stolen, not to be repeatedly told to SHUT DOWN EVERYTHING. I know the risks.
Edit2: Just finished talking to Microsoft. They have the list. The server hosting the files has been down for at least 2 hours, I don’t know if it’ll ever come back. Guys at Microsoft were extremely nice, and it also felt like I had actually done something.
Mission accomplished, I guess? Thanks, guys.