The scale of the phishing attack on Hotmail could stretch further than first thought, with accounts on Google and Yahoo now threatened.
Microsoft confirmed on Monday that the popular email site had been the target of a scam which tricked users into revealing their passwords. This led to around 10,000 passwords being posted online.
The computer company said their servers were not responsible for the security breach and that individuals had been conned into handing over their details. But it has been reported that more lists have also been circulated with genuine account information relating to email on Google, Yahoo, Comcast and Earthlink, as well as other third-party web mail services.
Neil O'Neil, an ethical hacker and digital forensics investigator at secure payments specialist The Logic Group, said up to a million passwords could have been accessed.
"Making the breach public so soon after the attack occurred has allowed unethical hackers to access the passwords very easily, even though they were deleted a couple of days ago at the request of Microsoft," he explained.
"People tend to have the same password across many accounts — so there is a good chance that individuals have also compromised the integrity of their ebay or paypal accounts too.
"The list went through A and B, so you would think whoever released these has more. And if you do the maths, they could have more than a million passwords."
Hackers and cybercriminals attempt to trick people into handing over personal details, including email addresses and passwords. Internet users may be directed to false websites, set up to mirror legitimate websites, that feed information back to the criminals.
News of the scam broke when technology blog neowin.net reported an anonymous user had published confidential details on pastebin.com. Internet users are urged to change their passwords regularly and ensure anti-virus software is up to date to protect themselves from fraudsters.
A Microsoft spokesman said: "We are aware that some Windows Live Hotmail customers' credentials were acquired illegally by a phishing scheme and exposed on a website."
They added that they requested the details be removed from the internet and they launched an immediate investigation. The company are also taking measures to block the accounts which were hit.
A spokesman for Google said they were aware that some gmail accounts had been part of the phishing scam and said — while their servers were not responsible — they had taken steps to ensure security.
And a spokesman for Yahoo said they take great effort to protect their users' security and that they urge consumers to take measures to secure their accounts whenever possible, including changing their passwords.