Major breach of Hotmail security allowed hackers to gain full access to any Hotmail account, regardless of the password strength. Whilst researching yesterday’s article on Mac malware I read a new tweet from the Microsoft Security Response team which stated: “On Friday we addressed a reset function incident to help protect Hotmail customers, no action needed”.
Seems inoffensive enough? It was in fact related to a major breach of Hotmail security which allowed hackers to access any Hotmail account – no matter how strong the password A hacker was even offering to crack any Hotmail account within a minute for $20 – and did so, according to a report by H-Online.
Recent Hotmail Security Breach – hackers didn’t need to try and guess the user’s Hotmail password – they just reset it to a new one… The method used was simple but effective. Security analysts explained: “The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values.”
This major security loophole was notified to Microsoft on April 6th and a fix was put in place on April 21st but that is at least 2 weeks of breathing space for hackers to exploit this vulnerability and target Hotmail accounts.
What Can You Do To Protect Your Account? This gaping security loophole has now been closed by Microsoft so, in a sense, they are correct to say ‘no action needed’ – as it did not require guessing passwords, even the strongest password was no defense.
However, most cases of Hotmail (and other email providers) hacking are due to guessing the right password so there are some precautions you can take – these apply to all types of accounts you use on the internet – email or otherwise:
1. Choose strong passwords – an ideal password is long and has a mix of upper (capital) and lower case (small) letters, punctuation, symbols, and numbers. Whenever possible, use at least 14 characters or more.
A quick way to test the strength of a single password is to use the Password Meter website which I reviewed here. Another useful tool to check all of your existing passwords (associated with an email address or website logon) in one go is Password Security Scanner – see at a glance which of your current passwords have a good or weak ‘strength’ score – I reviewed it here.
2. Never reuse the same password for more than one account – if one is compromised there is an increased risk that your accounts
3. Move to services with a better security record or which offer additional security checks e.g. Gmail offers 2 step authentication (not on by default, you have to set it up) – as well as the password you have a unique PIN code to access your Google account which makes hacking much more difficult. See the official instructions from Google here.
If you are unsure whether your Hotmail account might have been hacked (Microsoft won’t say how many were affected), try to log in with your usual password. As this hack involved changing (resetting) your password, if you can still log in you then weren’t affected by it.
If your password is not recognized there is a chance that your account was indeed hacked (although there could be other reasons e.g. you forgot the right password) – see Microsoft’s help page for what to do if your Hotmail account was hacked.
This story highlights the fact that there are no cast iron guarantees of security from any type of email or internet account – hackers continue to use ever more inventive ways to find and exploit security loopholes.