200 million Hotmail accounts compromised

May 11, 2003

This an old, sarcastic news post from when I was in college. I apologise.

A cheap early logo of the game. REDMOND, WA, USA - Microsoft’s .NET Passport login system that they use for Hotmail and other services has been hit by yet another security scandal, one that could cost them $2.2 trillion dollars. A very easy to exploit flaw in their password recovery allowed anybody in the world to access anybody’s Passport (and hence Hotmail) just by knowing their login.The Federal Trade Commission asserted last year that future breaches of security that jeapordize users’ information could face fines of $11 000 per infraction, which would, considering 200 million accounts, add to $2,200,000,000,000.

For the last year, the only thing one needed to do to hijack a Hotmail account was type “emailpwdreset” and your own email address into the right place of a web address, and voilia, you get an email with a new password. While this had been in existance since sometime in 2002, emails of “My account’s been hijacked!” to MSN Support were just being responded to with what amounted to, “Don’t give out your password then. Go away.” Although Microsoft had been contacted about this security flaw by email, it wasn’t until it was posted publicly to a security mailing list that they closed the hole (three hours later.)

It seems users are now starting to understand Microsoft’s new “Trustworthy Computing” theme. “I really trust Microsoft,” said one system administrator. “As long as I check every few hours for security patches, my systems are only vulnerable to publicly known attacks for a few hours every week or two.” Hotmail users in general are warming up to Microsoft due to this news. “Oh, they fixed another hole that could allow anyone to take over my account?” asked one Hotmail user. “Well aren’t they great? Always working hard to make my life better.”

Security experts leaped to Microsoft’s defense. “They’re great! Keep buying their products,” urged one expert who specializes in disaster recovery. Another expert, an aftermarket security software developer, agreed. “Microsoft is the most trustworthy email provider I can think of that is supported by ads and spam, and rhymes with Lycrosoft.” We asked one of our security experts to email us a list of all the reasons why Microsoft systems and services are secure and trustworthy, but unfortunately each time we asked, we only received blank emails.

This whole issue brings up the question: what IS a Microsoft Passport? Microsoft wants it to be where you keep all your credit card and personal information, allowing you to easily authorize them to charge things with the minimal of fuss. In reality, it’s their login system for MSN Messenger and Hotmail. Passports’ login is an email address, and that’s one’s login for MSN Messenger. (It’s actually possible to register an @alteringtime.com email as a Passport for Messenger use, allowing you to be totally Hotmail-free.)

The author of this article doesn’t use much Microsoft software, but has more free time and money to waste now so he begins to wish he did.

© Allen Pike. See also Twitter and Steamclock.