Microsoft rushes out fix after hackers reset passwords to hack Hotmail accounts

Filed Under: Featured, Microsoft, Privacy, Vulnerability

HotmailMicrosoft says it has fixed a serious vulnerability in Hotmail, that was allowing hackers to reset account passwords, locking out the account's real owner and giving attackers access to users' inboxes.

News of the critical bug spread rapidly across underground hacking forums, and Whitec0de reported earlier this week that hackers were offering to break into any Hotmail account for as little as $20.

It appears that the vulnerability existed in Hotmail's password reset feature. Hackers were able to use a Firefox add-on called Tamper Data to bypass the normal protections put in place to protect Hotmail accounts.

According to some reports, Moroccan hackers were actively taking advantage of the vulnerability and planned to reset the passwords of a list of 13 million Hotmail users in their possession.

Numerous videos, many of them in Arabic, have been posted on YouTube demonstrating how the flaw could be exploited to gain access to Hotmail accounts.

HotmailOf course, hackers aren't just interested in breaking into email accounts out of curiousity or because they want to read your spam.

No, they're also interested in stealing your identity and perhaps using an email account hack as a method to crowbar their way into other online accounts under your control.

What isn't known is just how many of Hotmail's 350 million users might have been impacted by the serious security vulnerability - Microsoft certainly isn't saying.

But if you're worried, there's an easy way to check.

Hacked Hotmail accounts would have had their passwords changed to something else - so if you are no longer able to access your Hotmail account it's possible (although by no means definite - there may be other reasons, of course) that your email account fell victim to this attack.

, , , , ,

You might like

54 Responses to Microsoft rushes out fix after hackers reset passwords to hack Hotmail accounts

  1. Bullwinkle Boggs · 907 days ago

    Just to make it clear - the BAD guys can only reset the password, they canNOT determine the current Hotmail password - is this correct?

  2. Robert Agostino · 907 days ago

    Hotmail hack: Over two years ago exactly what is described in the recent Hotmail article happened to my hotmail account. I lost the account, the password, the contacts, the stored emails, everything. Microsoft did nothing to help me recover/restore that material, even though their service people suggested they could fix the problem--- 2 years ago. How can exactly the same problem appear in 2012? Because it was never addressed in 2009-2010. Nothing has more lives than an error you refuse to fix.

    • mrbill · 907 days ago

      Ask for your money back.

    • Nigel · 907 days ago

      Alas, Microsoft is well accomplished in the art of refusing to fix errors. They've been doing it in MS Word for Mac ever since Office X (v10.0, released in 2001), when they broke numerous features in the user interface (Customize Toolbars, Insert Cross References, Merge Documents) --- features that they acknowledge (privately, and reluctantly...if you can work your way far enough up the support chain) are broken, but they refuse to fix.

      A Microsoft MVP once told me that the failure of any of Microsoft product to perform as advertised is NOT the criterion by which they decide to fix errors. They don't make decisions based on such principles. Rather, they make their decisions based on how many users squawk about it. The principle that customers should get products that actually work as advertised is not relevant.

      He wouldn't (or maybe he couldn't) tell me any more than that, except to say that Microsoft would continue to "WON'TFIX" the errors in MS Word unless I could get at least 1,000 users to bitch about it.

      See, that was your problem. You were only 1 user. It took 13 million users' accounts being compromised to get Microsoft to move. Your perspective is that errors should be fixed BECAUSE they are errors. That's a principle. With Microsoft (and they're not alone on this), that principle is not the compass by which they steer.

    • dazzler11 · 457 days ago

      My account has been hacked and they have changed all the information that Microsoft require to verify it, i.e. alternative email and cellphone number to send a security code has changed. The form doesn't ask the usual questions like 'first pets name' or 'mothers maiden name' etc. but asks questions about your account, which can all be changed by the hacker once they have control! it's crazy! I have retrieved accounts before using the methods above but MS make it to easy for hackers to gain control and shut you out - Calling there customer service line is hopeless in trying to speak to a real person to verify that you are who you are. God only knows what the hackers are doing with my information and using my email name - It's no wonder there is such a problem with hackers if they can get away with it and the account holder has so much hassle in trying to verify legitimacy!!!

      • Exactly what is happening to my account completely locked me out changing password, alternative emails.........they changed all information to help verify that I am the true owner of my account they need to change it!!!!

  3. Khaled · 907 days ago

    My account was hijacked using this method and microsoft support is horrible with the recovery process.

  4. Larry · 907 days ago

    This issue of hackers resetting passwords to hack Hotmail accounts happened to me in May of 2011 and I could not get any help from Microsoft or Hotmail.
    The hackers used my account to e-mail all of my contacts saying that I was stranded in England after being mugged and that I needed $2500 to get back to the States. My contacts knew it wasn't me, because they knew my home wouldn't float and e-mailed me on another account to tell me that it had been hacked!
    I HAVE COMPLETELY DROPPED HOTMAIL AND LIVE.COM DUE TO MICROSOFT'S LACK OF SECURITY AND MOST OF ALL MICROSOFT'S LACK OF CUSTOMER SERVICE AND INTEGRITY WHEN IT COMES TO DEALING WITH AN ISSUE!

    • Sandi · 876 days ago

      Hi Larry: This just happened to me 5/24. Hacked and all contacts in address book were sent letter saying I was in the Phillipines and needed money. Now
      I have tried many ways to get into account to change password and no help. They just send me to a website and then the website says there is a temporary problem!!!!!!!I am making myself crazy. All I want to do is change the password and then cancel my account. But cant do either because of lack of service from then.

    • peter · 818 days ago

      Damn. I've had my e-mail address since 1997, and I only ever use it anymore to access Microsoft Technet. This sucks.

  5. Leanne · 907 days ago

    My email was hacked a few weeks ago, I too have been "locked" out and lost all of my contacts, data etc! There is no contact details in the way of a phone number to be able to retrieve your data, no one to speak to and therefore come to the conclusion that no one even cares! its an utter disgrace!

  6. Jon Fukumoto · 907 days ago

    If they knew about it, why didn't they patch it right away. It's things such as this that makes Mircosoft the company everyone loves to hate. Their cleint OSs (XP, Vista, 7) have too many security holes, requiring frequent patches. Witness the failure of Vista, an OS which never did work despite being patched. Apple also has dropped the ball regarding the Flashback Trojan. Companies need to patch their software frequently, and make them
    work as advertised, otherwise who's going to buy a product which is filled with bugs or worse zero-day bugs?

  7. Sue · 907 days ago

    they got me.. friends started asking me via facebook what the email for the "home business" was all about. Since I had no idea what they were talking about and rarely use my hotmail account, I told them to delete. I got into my hotmail account ok, but all my contacts were removed along with any emails I had in there. I changed my pw, but went back in tonight and changed it again.. just to be safe(r) I then had to send out a status update to everyone I know on facebook telling them I had been hacked and not to open any emails from my hotmail account, since I had no contacts left to send out a message to. What a pain the the butt

  8. vileshadow · 905 days ago

    I was one of the victims a few weeks ago!

    I'm quite protective of my password and I use a rather complex one so this vulnerability explains how they got in. My reset information was changed apart from my alternative email (which happened to be hacked too!) and my mobile number. My account is used for many things especially billing! So after a few weeks of trying to get it reset by filling out Recovery forms (a majority didn't even get a confirmation email either OR no reply after 24 hours) it wasn't until last week I finally managed to get it back.
    While no passwords are stored on my account and it was only harboured for spamming purposes which got blocked 37 spam emails after I was mostly safe from identity theft. In the mean time I had changed all my accounts to another email address and changed any "common/easy" passwords to more complex ones.

    As a victim I do ask that if anyone else finds out they've been mysteriously blocked please go here on live.com (https://account.live.com/ResetPassword.aspx) and select "I think someone else is using my Windows Live ID" click reset password, enter your address and follow the prompts! Just make sure you have another email address to receive the emails for your account recovery. If you get nothing or don't get a reply within 24 hours you will need to repeat it again.

    Just don't give up! I know exactly how frustrating and horrific it is!

    Vile :)

    • Ranj · 194 days ago

      I have been fighting ewth microsoft to get access to my account, same as above but that link has me fill out a verification questionaire and says wait 24 hours for a response, Than they come back with "we cannot verify it is really you" I have escalated my request and again they say will respond in 24 hours, it is going into day 3... has anybody ever got back into their hotmail account, or do you just give up and open another email account?

  9. Ken · 905 days ago

    I suppose I have to join the rest of the crowd here. I too have lost control of my old email account "@msn.com", and have been "temporarily blocked" from using that log-in. The night before all this happend I had just started using the skydrive account, luckily there was nothing important on it yet: I will never trust Microshaft again!

    As ALWAYS Microshaft has lived up to its nickname by being totally useless!

  10. roy jones jr · 905 days ago

    Okay so what is the most current status from Microsoft? In other words, is there anything users need to do outside of completely creating another email account? What steps does Microsoft plan to take in the future? The .net passport/live/hotmail information is tied together so having passwords being reset affects more than just email.

  11. Sandy · 901 days ago

    I just got hacked from some j/a who sent a spam email message to what seems like everyone I know asking for $2500 because "I" was stranded in Europe. Some of the people that the message went to I had no interest in communicating with ever again. I also found that my email messages were scheduled to be forwarded to some other account of which I have no idea who it belongs to. Also, when Microsoft verified that I was indeed the real account owner, I changed my password immediately and when I tried to log on to my account, everything was in Arabic. Luckily, a friend who was saved from all this mess was able to walk me through changing everything back to what it should be by telling me where the correct buttons were to hit. A simple "save" was hard to decipher and seemed to be written backwards.

    NOT something I want to experience again, but I did send a scathing (lack of a better term) email message to the email address my email messages were being forwarded to.

  12. n.nizam · 895 days ago

    just got hacked this morning. managed to recover back my account without any mails been deleted.

    quite frustrated because i've been using hotmail since 2002 and this is the first time this thing happened to me.

    maybe going to change my main email to gmail...

  13. Graeme · 893 days ago

    Don't know if it's related to the hacking but for two days I have been able to access my Hotmail account but clicking on messages or any other item doesn't do anything,can't delete,can't open,can't flag seems there's more to this than meets the eye.Quite frustrating that these criminals are getting away with it so easily.

  14. Adam · 890 days ago

    My wife's Hotmail was hijacked. The hacker reset the password through the method in this article and started sending out spam emails. This happened after her friend's Hotmail also got hacked.

    After 3 days, I finally got MS to successfully verified our identify and reset the password. And we discovered that the hacker filled up all the alternate emails (10 max) and we cannot remove them without the approval from the hacker. We can mark them for removal in 6-month's time. But this is pointless because the hacker can simply reset the password and recover these alternate emails

    This is simply ridiculous. MS support claims that this is a security feature by design. For whom? To make sure the continuous access of the hijacked account by the hacker?

    The only reference to this problem that I can find is this: http://answers.microsoft.com/en-us/windowslive/fo...

    The original question was gone but one can read from Google cache by searching "my hotmail account is hacked and the hacker filled the password reset info so I can't add mine".

  15. peeved · 853 days ago

    Just this morning I tried to log into my usual hotmail account and was greeted by a page asking me to "provide account information". It says: "Before you can sign in to Windows Live, you need to create a new password. We recommend creating a strong password to help protect your information." It then asks me to confirm my original password and then to create a new password. I have no idea whether this is something from Windows Live or whether it's a scam. Does anyone have any advice, please? I have two Hotmail accounts and I can sign into my other one OK.

    • Hacked · 853 days ago

      I just got the same thing! I was looking around for info, and found your post. I reset my password to a new one (after 10 years with the old one - sniff!). I'm thinking our accounts got hacked through a hotmail security vulnerability.

      If you have any accounts that share the same password as hotmail, I suggest you change them too (to a password not shared with hotmail, so you can avoid this crap next time) .

  16. San_Nom · 853 days ago

    @ Peeved - same thing happened to me this morning. I tried to log into my hotmail account and got a page asking me to "provide account information" saying "Before you can sign in to Windows Live, you need to create a new password. We recommend creating a strong password to help protect your information."

    I can still access my hotmail from my phone - no request to change my password there.

    I've never encountered anything like this with my hotmail account. Anybody know what's up?

  17. peeved · 853 days ago

    Thanks for the replies, guys.

    I wasn't sure whether the request to reset my password was the scam! I still l haven't done it yet. I want to be sure that if I reset it, I'm giving the information to Hotmail and not the scammers. How on earth are you supposed to know whether this is a genuine message from Hotmail when there isn't even an explanation? I've had scam emails from Paypal and from banks before, but luckily I guessed they were dodgy.

  18. John · 839 days ago

    In the past few weeks I've received spam from 4 different people with hotmail accounts, 2 from US, 2 from UK, their passwords were stolen but had not been changed. All hotmail users should be advised to change their passwords.

  19. irritated · 838 days ago

    I couldn't log into my hotmail account and after resetting the password and finally getting in I discovered all my info was changed. My name was changed and it was something I couldn't even pronounce. My location was changed to a South Africa and birthday was changed too. When I went to alternate email that was also changed and I had to add another alternate to delete the unknown one. This is crazy and it upsets me to know somebody had acres to my email which includes personal documents. I just might go back to pen paper and stamps.

  20. SARADORI · 832 days ago

    Beware, my mom's Hotmail account was hacked and the hackers sent e-mails to every bank she does business with stating that she needed money transfered because she wanted to buy a house in Singapore. We live in Canada and have never done any business or bought any property in singapore. We were on vacation at the time. One of the banks called for verification only once and someone told them she as not home. They left no message to call them or anything. The bank then sent the HACKERS then MONEY!! The hackers then sent follow up e-mails saying they needed more money, TWICE. The idiot at the bank sent money an additional 2 times and sent the hackers info about how much money was in my mom's account!!!!!! WTF!!! I feel like hotmail is the least secure of all the big mail services. I will make sure she never uses that account except for junk EVER again!!

  21. Leigh · 828 days ago

    Hacked and blocked and no help from anyone. Credit card abused to the limit and no l help given. Don't even wont to use my computer for anything. I may go back to the written hand - safer! These hackers are scumbags with no quilt! Shame on you - shame!!!

  22. CPT Rangervall [Z-CDR](Raptor-ZCo) · 823 days ago

    My wife's account was hacked the day after I bought her an iPhone for Mother's Day. She's had the account and same password since 2005 and this has never happened before. This prevented her from accessing anything on her iPhone. We were eventually able to get a code and reset the password. We changed the password to something complex and continued to use the account. A couple days ago more spam was sent--hacked again. This time, we got the code and reset the password to something even more complex, but immediately after resetting the password, it took us back to the "your account is blocked" page. NOW what do we do?

  23. clg · 818 days ago

    Just got hacked today. called hotmai, instead of helping, they tried to sell me software claiming would fix my problem. something tells me they re involved in the whole thing. seriously!!!!

  24. vkling · 812 days ago

    Happened to my hubby today. We called the Hotmail tech number and they said they have to charge him to fix it....$150 dollars.!! Is this a scam too? He has to get into his mail for biz Today! Boy what a pain

  25. davi · 807 days ago

    It is better to use email providers that are not so popular like safemail thundermail gmx etc...these big companies are the only one seem to be hacked every now and then.

  26. Mkit · 799 days ago

    Hotmail (or more precisely Microsoft) has denied me accessing my account claiming someone else is using my account. I was asked many questions for verification of my identity. Then it says I have to wait for 5 to 7 days for them to sort things out.

    Honestly, it takes too long a time. I need to receive emails from others although I can use a different account.

    Is there a quicker way; it is just so so inconvenient.

  27. FrustratedDaughter · 797 days ago

    My elderly father had hIs MSN Premium email account blocked this week. He has had this email account for 13 years without any problems. Initially there were attempts to sell him "help" for between $150-200. I contacted Microsoft today more than 10 times, getting 10 different answers, none of which helped. I filled out the online forms requesting a password reset and/or account recovery more than once today, with each one giving me a message that I would receive a response within 24 hours. I provided my email address for them to respond. Earlier tonight one of the microsoft reps I spoke with on the phone provided me with a different link for account recovery. He told me there was no record of my previous submissions to recover my Dad's MSN email account/password & to use his link to request account recovery. I did that. I just checked my email and I have 3 responses from Microsoft, 2 telling me there is an "investigation" into my Dad's issue and a 3rd response saying they were unable to verify my Dad as the owner of the MSN email account?? I had provided 3 email addresses my Dad had sent emails to just prior to the account being blocked, my Dad's physical address, including zipcode, the last 4 digits of the credit card used to pay Microsoft for this email account a few months ago, the cardholdes name and the expiration date of the card, but Microsoft could NOT VERIFY MY DAD IS THE ACCOUNT OWNER??? Not sure what to do now? My Dad wants to get his contacts and then cancel his MSN email account.

  28. Lorraine · 795 days ago

    I too have ben hack and all i have tried to retrive my hotmail i canot i want some help thanks

  29. vic · 791 days ago

    Had problems trying to access my hotmail account on my phone, message kept saying 'cannot connect to server'. Thought it was the phone and never really bothered with it . A few days later tried to access my account via my PC, only then did i realise there was a problem. Got a message saying 'it looks like someone else might be using your account' I filled out the recovery form as best as i could as i could not remember a lot of the details.The form got bounced back saying they could not verify my details and to resubmit a new form. I did this with some extra details which seemed to be accepted. Was told due to high volumes this could take 5 to 7 days. Still no reply after 4 days of resending the form. Spoke to my sister today and she had the same problem with her hotmail but she was suspicious about filling out the recovery form. This got me thinking as to whether i did the right thing by filling out the recovery form. After a bit of research i think the form is genuine but all i can do now is wait for a reply from microsoft.. It seems many hotmail accounts have recently been hacked from what i have read and this probably explains the long delay from microsoft to get things fixed.
    Must admit am getting so sick of technology with passwords and security, knowing what is genuine and what is not genuine, and now with my situation i am the genuine account holder and i have to go through so many hoops just to get my hotmail account back!!!!!!! It was so much easier in the past without all this tech. Don't blame the luddites all those years ago....Anyway please microsoft sort it out!!!!!!!! otherwise may have to resort to getting a yahoo account.......

  30. John · 788 days ago

    I'm sorry to have to say this but the more information you put out on the internet, to store {cloud storage} with Big companies [MICROSOFT} or BIG governments {US}, you are giving more access points for problems and becoming a bigger target to have your data corrupted or accessed by someone who shouldn't have it. ie. govt employees who lose their high security laptops. ANY government who insists that you keep giving them more information becomes THE PROBLEM instead of curing it . any responses?

  31. Nia · 785 days ago

    I gotten hacked too, my Windows Live account is connect to my Xbox Live account, and I payed money out of pocket to buy avatar items, DLC and games for my xbox live. I been locked out my account for a whole week, I just dont understand why its taking so long to give me my password recovery.

    • jack · 776 days ago

      im starting on my second week of not using my Xbox, but i havnt hooked up my back card to it so i cant give them any more info than my name and that's not enough to recover it so im screwed

  32. Guest · 778 days ago

    I didn't get the "someone else is using my account" - I just got the "account doesn't exist" even though I had it since the 90's. Seems a bunch of people have the same problem over the last month and NO response from MS - other than one guy saying to send info in a private reply and then no one gets a response to that. I kept it because it was hard to track down everyone to give them a new email address, but now I'm really screwed. I love the part where MS says "in Win8 you can use that pw to sign on to your Win8" I can just see getting locked out of my pc due to MS crapola.

  33. jack · 776 days ago

    my Hotmail account has been hacked and i sent out a recovery thing and it has taken 8 days to get back to me only to say i didn't give enough info, i only use my e-mail account for my Xbox so i don't e-mail anyone so i have no info for me to give them. wish there was a number to call so you can just sort it all out over the phone and explain the whole thing to them instead of a slow ass e-mail!!!!!!!!!!!!

  34. Spamalot · 770 days ago

    Snap! Just been hacked. I can't get MSN hotmail to belive I'm the real account holder as they've changed my password, my secuity question, and the email to forward on the password reset to. Ridiculous it is that easy for them and there is no number to call and speak to a human. Or at least an email enquiries account that you can explain the problem. Now I just get a message from them saying I've tried to query this with them too many times today so I can't try again for another 24 hours. Will be changing my bank, amazon, paypal etc etc passwords as soon as I get home to my trusty Mac.
    I wonder if they'll reply if I send 'myself' an email?

  35. yelena · 752 days ago

    After 15 years with hotmail as my primary email account I lost access like so many other folks on this thread. I have so much information in my hotmail account that I called one of the hotmail support companies hoping to get my access back (I paid $170.00) -- all they did was ask me the same questions everyone gets. -- Of course I don't remember the subject lines of the last 5 emails I received (I remembered one or two of them). -- The company went through those questions with me and received a response that I didn't sufficiently prove who I am. -- Now a representative from this company wants to remotely access my home computer to help me get my hotmail account back. -- What the heck???? -- why is it virtually impossible to get my hotmail account back? -- I already wasted $170. and am not letting some stranger remotely access my home computer so they can supposedly get me my hotmail account back (something I was lead to believe they'd do if I paid them). -- What is up with hotmail? -- Why the heck do they make it impossible for folks to get their account back -- and what should I do about this service I paid to get my hotmail account back?

  36. Joe · 752 days ago

    well folks .. looks like they still haven't fixed it... 1 hacked acct a year ago.. couldn't resolve it.. now the second on in the last day or so. The only MS product I have now is Win7.. all other products have been removed from my PC.. when I am up to speed on Linux.. Win7 is gone too. Enough of this bs ... Now to get a new account they want address.. telephone number and 2 email addresses ... I don't bloody think so. These guys couldn't secure a garbage can. Also.. Yahoo messenger is being hacked as well so beware there too.

  37. RIK · 719 days ago

    try hushmail.com free, just need to log in every 3 weeks min to keep active if your recipant is also a hushmail .com user its encrypted automatically otherwise organise a password off line ! so they can decrypted upon recieving your email .... canadian based company small compared micro-gmail -yahoo etc etc

  38. nadine · 718 days ago

    this has happened to me. my facebook was also taken over at the same time and a week later my bank account was also accessed and cleaned out. i never save bank details on my pc or give anyone my pin number...... this is very concerning! :(

  39. Im having problems of my own with hackers changing my security question, password etc. Its becoming a joke, the account has been changed to a spanish recipient.

  40. Cynthia Gail Dupuy · 688 days ago

    Locked out of alternate computer at work and iPhone ... Lap top ok.... How do I fix!!!!!

  41. Callum · 386 days ago

    The same thing happened to me and all the recovery information has been changed (including mobile phone and recovery e-mail) so there's no way to prove it's my account anymore.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.