Microsoft fixes Hotmail security flaw

Password protection

Software giant Microsoft has reportedly plugged a security hole in its Hotmail email service, which allowed hackers to access accounts and reset passwords.

The problem was made public by researchers at Vulnerability Labs last week in a post on its website, which contained details of how hackers have exploited the flaw.

"[It allows] attackers to reset the Hotmail/MSN password with attacker chosen values," said the post. "Remote attackers can bypass the password recovery service [and token-based protections] to setup a new password."

If successful, hackers are then able to gain unauthorised access to Hotmail and MSN accounts, it added.

It is not know how many of the 350 million Hotmail users from across the globe had been targeted by the scam. However, it has been claimed that Moroccan hackers had been planning to use the flaw to reset the accounts of up to 13 million users.

Hackers aren't interested in breaking into email accounts because they want to read your spam. They want to steal your identity.

Moreover, a report on Sophos' Naked Security blog claims videos detailing how to exploit the flaw had been circulating on YouTube for some time.

"Hackers aren't just interested in breaking into email accounts out of curiousity or because they want to read your spam," said Graham Cluley, senior technology consultant at Sophos, in the blog post.

"No, they're also interested in stealing your identity and perhaps using an email account hack as a method to crowbar their way into other online accounts under your control."

When contacted for comment, a Microsoft spokesperson told IT Pro: "Hotmail engineering teams are working hard on not only protecting accounts, but also on recover[ing] them."

They also revealed the firm has launched a new, "streamlined" recovery tool to help affected users regain access to their accounts.

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.