Microsoft says it has fixed a serious vulnerability in Hotmail, that was allowing hackers to reset account passwords, locking out the account’s real owner and giving attackers access to users’ inboxes.
News of the critical bug spread rapidly across underground hacking forums, and Whitec0de reported earlier this week that hackers were offering to break into any Hotmail account for as little as $20.
It appears that the vulnerability existed in Hotmail’s password reset feature. Hackers were able to use a Firefox add-on called Tamper Data to bypass the normal protections put in place to protect Hotmail accounts.
According to some reports, Moroccan hackers were actively taking advantage of the vulnerability and planned to reset the passwords of a list of 13 million Hotmail users in their possession.
Numerous videos, many of them in Arabic, have been posted on YouTube demonstrating how the flaw could be exploited to gain access to Hotmail accounts.
Of course, hackers aren’t just interested in breaking into email accounts out of curiousity or because they want to read your spam.
No, they’re also interested in stealing your identity and perhaps using an email account hack as a method to crowbar their way into other online accounts under your control.
What isn’t known is just how many of Hotmail’s 350 million users might have been impacted by the serious security vulnerability – Microsoft certainly isn’t saying.
But if you’re worried, there’s an easy way to check.
Hacked Hotmail accounts would have had their passwords changed to something else – so if you are no longer able to access your Hotmail account it’s possible (although by no means definite – there may be other reasons, of course) that your email account fell victim to this attack.Follow @gcluley