clock menu more-arrow no yes

Filed under:

Microsoft fixes Hotmail flaw following widespread password-reset exploits

New, 21 comments

Microsoft says it has patched a vulnerability in its Hotmail password reset feature that allowed hackers to access accounts.


Microsoft revealed this week that it had "addressed a reset function" in Hotmail that allowed hackers to reset passwords on the webmail service. Researchers first discovered the flaw on April 6th, alerting Microsoft to the problem two weeks later on April 20th. YouTube videos show that some hackers were exploiting the vulnerability on April 6th, with details of the flaw spreading "like wild fire across the hacking community" according to one report.

Hackers reportedly used a Firefox add-on to intercept HTTP requests and modify data to bypass Hotmail's token-based password reset system. Microsoft says it fixed the flaw on April 20th, but the company has not revealed how many of its 300 million users were affected by the temporary glitch. The nature of the attack means that regular users of Hotmail would recognize that their account password no longer worked, but if you're not a daily user of Hotmail then it might be worth checking your account to ensure nothing has been tampered with.