Major breach of Hotmail security allowed hackers to gain full access to any Hotmail account, regardless of the password strength. Whilst researching yesterday’s article on Mac malware I read a new tweet from the Microsoft Security Response team which stated: “On Friday we addressed a reset function incident to help protect Hotmail customers, no action needed”.
Seems inoffensive enough? It was in fact related to a major breach of Hotmail security which allowed hackers to access any Hotmail account – no matter how strong the password :-( A hacker was even offering to crack any Hotmail account within a minute for $20 – and did so, according to a report by H-Online.
Recent Hotmail Security Breach – hackers didn’t need to try and guess the user’s Hotmail password – they just reset it to a new one… The method used was simple but effective. Security analysts explained: “The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values.”
This major security loophole was notified to Microsoft on April 6th and a fix was put in place on April 21st but that is at least 2 weeks of breathing space for hackers to exploit this vulnerability and target Hotmail accounts.
Note: if you have come to this page after trying to volunteer with Distributed Proofreaders (Pgdp.net) please read the explanation at the bottom of this article!
What Can You Do To Protect Your Account? This gaping security loophole has now been closed by Microsoft so, in a sense, they are correct to say ‘no action needed’ – as it did not require guessing passwords, even the strongest password was no defense.
However, most cases of Hotmail (and other email providers) hacking are due to guessing the right password so there are some precautions you can take – these apply to all types of accounts you use on the internet – email or otherwise:
1. Choose strong passwords – an ideal password is long and has a mix of upper (capital) and lower case (small) letters, punctuation, symbols, and numbers. Whenever possible, use at least 14 characters or more.
A quick way to test the strength of a single password is to use the Password Meter website which I reviewed here. Another useful tool to check all of your existing passwords (associated with an email address or website logon) in one go is Password Security Scanner – see at a glance which of your current passwords have a good or weak ‘strength’ score – I reviewed it here.
2. Never reuse the same password for more than one account – if one is compromised there is an increased risk that your accounts
3. Move to services with a better security record or which offer additional security checks e.g. Gmail offers 2 step authentication (not on by default, you have to set it up) – as well as the password you have a unique PIN code to access your Google account which makes hacking much more difficult. See the official instructions from Google here.
If you are unsure whether your Hotmail account might have been hacked (Microsoft won’t say how many were affected), try to log in with your usual password. As this hack involved changing (resetting) your password, if you can still log in you then weren’t affected by it.
If your password is not recognized there is a chance that your account was indeed hacked (although there could be other reasons e.g. you forgot the right password) – see Microsoft’s help page for what to do if your Hotmail account was hacked.
This story highlights the fact that there are no cast iron guarantees of security from any type of email or internet account – hackers continue to use ever more inventive ways to find and exploit security loopholes.
Volunteers at Distributed Proofreaders (Pgdp.net)
We here at Techlogon have no connection at all with the Distributed Proofreaders website. The reason you may have been directed to this article is simply because they have linked to it (without our knowledge) if you tried to use a hotmail account to sign up to volunteer with them…
Here is their account registration page with an example of a failed Hotmail signup:
As you can see, if you try to use a Hotmail email address you receive the message “Domain temporarily rejected. Too many compromised accounts. Humans please read this article.”
This means they reject Hotmail addresses as they think they are insecure (get hacked too often).
Their ‘this article’ link brought you directly to our website (presumably they liked our way of writing!) for some discussion of Hotmail but their security policy has nothing to do with us here at Techlogon – we cannot help you with that.
Please go back to the Proofreaders website and either ask them to change their security policy or (probably easier) just use a different email address to sign up with them…
Hope that is of some help. Of course if you would like to browse our website whilst you’re here we hope you find it helpful – and we have no problem with people using hotmail to comment with us ;-)