A flaw in Hotmail that was used by hackers earlier this month to reset passwords of many of its users has now been fixed by Microsoft. The company confirmed on Thursday via a Twitter message that the exploit was actually fixed a week ago on April 20th. However, that was more than enough time for the issue to find its way among the hacker community.
Ars Technica reports that the flaw allowed anyone who knew about it to take advantage of Hotmail's token system which is supposed to allow only the owner of a Hotmail account to reset the password. Hackers apparently learned of the flaw and started using it as early as April 6th. The software research team at Vulnerability Lab reports that they also discovered the flaw on that same day. However, they waited until April 20th to notify Microsoft about the Hotmail password issue; Microsoft quickly patched up the exploit on the same day.
It's currently unknown why Vulnerability Labs waited two weeks to inform Microsoft about the Hotmail password reset issue.