Many of them had passwords that were as unsafe as their surfing habits.
We're talking passwords like 123456 or, for the more "security" minded, 123456789.
No surprise here, or there shouldn't be. While the number-sequence passwords listed above evidently accounted for only a few dozen of the tens of thousands of compromised log-ins, it's a pretty safe bet that plenty of the other passwords were barely more secure.
And if they're not taking proper care in creating and frequently changing their passwords, what do you think the odds are of their taking care about clicking on potential phish-links?
Yeah, that's what I think, too.
Time to gather every one of your employees -- whether or not they use Hotmail, Gmail, or any of the other targets (and that's what are: targets; the poor security here was on the users' part) -- and give them a strong refresher course in
How to recognize phishing scams like the recent Hotmail harvest. How to build and maintain strong passwords.