Phishers have compromised thousands of Hotmail accounts, posting the password information online, Microsoft has confirmed.
Details of at least 10,000 email accounts, mostly originating in Europe, were posted online on code sharing site Pastebin.com, the BBC said.
The information has since been taken down, but the news organization said it had seen a list of 10,028 names beginning with the letters A and B.
The list includes Microsoft email accounts ending in hotmail.com, msn.com and live.com.
A Microsoft spokesperson told the BBC it was aware of the breach, and had launched an investigation.
Security research firm Sophos recommended that all Hotmail users change their passwords, noting that around 40% of people use the same password for every website they use.
Separately, researchers at F-Secure said criminals continued their assault on social media sites such as Facebook during Q3, and have developed a new method of directing botnets via Twitter.