Hackers Break Into MS HotmailBy John Schwartz
THE WASHINGTON POST -- Millions of users of Microsoft Corporation’s Free “Hotmail” email service send out messages every day that bear the service’s ubiquitous tag: “Get Your Private, Free Email at
Monday, it wasn’t exactly as described.
Microsoft had to shut down the Hotmail service for several hours Monday to fix a major security hole: World Wide Web sites appeared that allowed anyone unfettered access to any Hotmail account. Visitors to the sites could assume the identity of any Hotmail user merely by knowing the user’s sign-on.
The problem was reported Monday by a Swedish publication, Expressen. Microsoft shut down access to Hotmail accounts several hours after being notified of the problem early Monday morning while it fixed the problem, said company spokeswoman Kimberly Bouic.
Hackers had taken advantage of an existing flaw in the software -- “a formerly unknown issue that the hacker exploited,” Bouic said. That allowed a half-dozen lines of code to lay open every user account on Hotmail.
“It’s pretty cute,” said Peter Neumann, a computer security expert with the research firm SRI International. But Neumann argued that Hotmail’s woes simply show deep security problems that exist throughout the Internet. “This is just one more instance of the fact that the fundamental infrastructure is full of holes. ... Things aren’t designed to be secure, so how can you expect them to be secure?”
Rasch said that the incident underscores the risks of online life as “people are spending more and more of their private lives and their business lives online.” Web-based applications such as personal calendars, contact lists and mail are increasingly popular, but dependence on someone else to hold such information is inherently risky, Rasch said.
“It’s not just a security vulnerability but also a privacy vulnerability,” he said. The problems underscore the need for consumers to use encryption products, Rasch said, adding: “If you want to have your calendar private, keep it in your pocket.”
By late afternoon Monday, the anonymous creator of a Web page that had mirrored the illicit access sites posted only the message:
the show is over./the mirror is down./i didn’t code the exploit./i did host the mirror./thank you.
It ended with this: “btw, do you trust microsoft?”