Microsoft has confirmed that Hotmail customers were hit by a phishing attack, resulting in the release of thousands of passwords online.
Last Thursday, an anonymous user posted details of over 10,000 accounts - with addresses starting with the letters A or B - on a developer site.
Although the precise cause of the leak is still unclear, Microsoft said that once it had learned of the issue, it requested that the credentials were removed and launched an investigation.
A spokesperson said in a statement: "As part of that investigation, we determined that this is not a breach of any Microsoft servers."
The statement added: "Subsequently we are taking measures to block access to all of the accounts that were exposed and have resources in place to help those users reclaim their accounts."
Microsoft also said that phishing was an industry wide problem, and advised users to keep anti-virus software up to date as well as renew passwords every 90 days.
IT security firm Sophos said that users of Microsoft's online services should change their passwords, and the fact that the accounts began with A or B suggested that it could be the "tip of the iceberg".
"My recommendation for users of Microsoft's online services is to change your passwords immediately," said Sophos senior security advisor Chester Wisniewski in a statement.
"You are better to be safe than sorry, and password rotation is something we are often to lazy to do," he added.
