Microsoft, which owns the Web-based e-mail system, said it had launched an investigation, the BBC reported Monday.
The accounts were the victims of a phishing attack. Phishing is defined as using fake Web sites to lure people into revealing personal details such as bank account numbers or login names.
A published list of 10,028 names may just be a subset of a longer list of compromised accounts, Graham Cluley, a consultant at the security firm Sophos, said. The list is genuine and the addresses end hotmail.com, msn.com and live.com.
Microsoft had the list removed immediately.
Cluley advised Hotmail users to change their passwords immediately. He said about 40 percent of people use one password for many purposes and advised against it.