Microsoft fixes Hotmail password reset exploit

A flaw in Hotmail that was used by hackers earlier this month to reset passwords of many of its users has now been fixed by Microsoft. The company confirmed on Thursday via a Twitter message that the exploit was actually fixed a week ago on April 20th. However, that was more than enough time for the issue to find its way among the hacker community.

Ars Technica reports that the flaw allowed anyone who knew about it to take advantage of Hotmail's token system which is supposed to allow only the owner of a Hotmail account to reset the password. Hackers apparently learned of the flaw and started using it as early as April 6th. The software research team at Vulnerability Lab reports that they also discovered the flaw on that same day. However, they waited until April 20th to notify Microsoft about the Hotmail password issue; Microsoft quickly patched up the exploit on the same day.

It's currently unknown why Vulnerability Labs waited two weeks to inform Microsoft about the Hotmail password reset issue. 

Report a problem with article
Previous Story

Windows 8 latest build number revealed

Next Story

New Google Easter Egg "destroys" search results

10 Comments

Commenting is disabled on this article.

Memnochxx said,
Is that to say, any Live account, or only an account with hotmail?

If I understand the article correctly, anyone one with a Live account (since it used an exploit in the password reset feature)

Memnochxx said,
Is that to say, any Live account, or only an account with hotmail?

Must be any live account.

This is actually a big negative against SkyDrive imho, even if it does have the best features

kcbworth said,

This is actually a big negative against SkyDrive imho, even if it does have the best features

agreed, it's a little scary, especially since I just moved all my "Documents" and "Pictures" files onto SkyDrive :\

And I was a victim of being randomly hacked into since last Thursday. This fix was actually deployed as my e-mail was being randomly hijacked over and over. Now my account is temporarily blocked(has been for a week so far) and the very terrible Hotmail team doesn't even care to help or respond.

Perhaps even longer if you consider those Xbox Live and FIFA troubles people have been having for months that Microsoft and EA keep denying.

-Razorfold said,
Different exploit since that involved EA Servers (no game other than Fifa were hacked so).

It was FIFA because the trading feature allowed an easy way to take advantage of it on scale.

There hasn't been a definitive answer other than there is no problem but people who are careful with online security still manage to be affected.