Hack de Hotmail
From Hack Story
08/31/1999
INDEPENDENT (London) August 31
HACKERS FORCE HOTMAIL CLOSURE
ONE OF the biggest breaches of security in Internet history meant that the messages of 50 million Hotmail users worldwide could be read by anyone for six hours yesterday.
Microsoft was forced to shut down its popular, free e-mail service after a bug in the system allowed hackers to access people's messages without knowing their passwords and to send bogus messages in other people's names.
News of the breach, and information about how it worked, spread rapidly across both technical and hacking websites. By the time the original site, based in Sweden, was taken down by its host, it had already been copied to sites in this country and the US.
Hotmail is claimed to be the world's largest provider of free Web-based e-mail, with an estimated 50 million subscribers worldwide, of which 5 million are British. Since Hotmail can be accessed from anywhere with a Web browser, people use it for personal messages at work or while travelling. It is particularly popular among students travelling overseas and businessmen who value its privacy.
One British website where the hacking code was posted was headlined: "This is how you find out a Hotmail user's password." It ended: "Happy hacking!!!"
Internet analysts described yesterday's security flaw as catastrophic. It was the most serious in a run of recent security breaches in the growing Internet industry. Unlike previous incidents, the latest did not require hackers to have in-depth knowledge of software systems.
A Microsoft spokeswoman confirmed the security lapse last night and claimed it had been repaired. "Once notified of the issue we started investigating it and turned off the Hotmail servers in the interest of user privacy and security," she said. "My understanding is that we have resolved the issue to prevent future attacks and all Hotmail servers should already be back up. No user action is required. Microsoft takes the privacy and security of our customers very seriously."
Shares in Microsoft fell slightly on the New York stock exchange yesterday. The recent spate of security failures has involved varying degrees of risk, ranging from no damage to the complete corruption of computer files.
A team of scientists discovered a bug last week in tens of millions of Microsoft Windows computer operating systems that allowed a hacker to corrupt or take control of a personal computer by sending an e-mail containing a virus that can modify files, wipe a hard drive or execute other commands.
Most copies of Windows 95 and all versions of Windows 98 were vulnerable to the virus, which unlike previous strains does not require the victim to open the e-mail.
Officials at Microsoft, admitted earlier this month that the MSN Messenger instant-message service, a form of real-time e-mail, could accidentally disclose Hotmail account passwords.
=======
GUARDIAN (London) August 31
Hackers force Microsoft Hotmail shutdown
Microsoft pulled the plug on its Hotmail service yesterday after one of
the biggest security breaches in internet history allowed hackers to read
the private emails of more than 50m subscribers.
A bug in the system allowed hackers to log into Hotmail accounts without typing passwords that were supposed to guarantee confidentiality.
Unknown sources posted websites in Britain and Sweden that featured nine lines of code which enabled browsers to bypass Microsoft's security system. Copies of the code circulated within hours and were posted on hacking-related websites, said Wired News, an online magazine.
Microsoft closed down its service, which is claimed to be the world's largest provider of free web-based email, but it was feared that hackers were still able to gain access.
Internet analysts described the incident as a catastrophic security flaw.
Still posted on the web last night was Hotmail's promise to subscribers: "We are committed to protecting your privacy and developing technology that gives you the most powerful, safe, online experience that you can get anywhere... because your privacy is important to us."
Christian Carrwik, a reporter with the Expressen newspaper, in Sweden, which broke the story yesterday, said rumours of a security breach had been circulating for days.
Microsoft had privately admitted the problem but did not warn users nor close down Hotmail until yesterday.
"The back door is still open and more and more people are discovering their way through it," said Mr Carrwik.
Yesterday's lapse was the most serious in a string of recent security gaffes in the growing internet industry. Hacking usually requires in-depth knowledge of software systems but the latest breach allowed anybody with an internet browser to read private correspondence.
According to the British website where the hacking code was posted, it was written on June 7 1998. The website was headlined: "This is how you find out a Hotmail user's password." It ended: "Happy hacking!!!"
Microsoft's website said the hacking was not affecting all Hotmail users and was not expected to "last much longer".
Shares in Microsoft fell slightly on the New York stock exchange yesterday.
The recent spate of security failures has involved varying degrees of risk, ranging from no damage to computer files to their complete corruption.
Last week a team of scientists discovered a bug in tens of millions of Microsoft Windows computer operating systems that allowed a hacker to corrupt or take control of a personal computer by sending an email containing a virus that can modify files, reformat a hard drive or execute other commands.
Most copies of Windows 95 and all versions of Windows 98 were vulnerable to the virus, which unlike previous strains does not require the victim to open the email. Microsoft released an upgraded version of its Java virtual machine that fixed the problem.
Earlier this month officials at the company's US headquarters in Redmond, Washington state, admitted that their MSN Messenger instant-message service, a form of real-time email, could accidentally disclose Hotmail account passwords.
John Montgomery, the company's product manager, defended Microsoft's record and said such attacks happened to rivals too.
"Building sophisticated software is hard. Giving people a rich user experience means you are going to run into situations where that can be abused," he said.
A Microsoft spokeswoman later confirmed the security lapse and claimed it had been repaired.
"We found it was possible for a malicious hacker to gain access to our Hotmail servers through specific knowledge of advanced web development languages.
"We turned off the servers in the interests of security and user privacy. Microsoft has now resolved the issue and all Hotmail servers have been restored."