Microsoft's Hotmail Challenge Backfires

Barence writes "Microsoft challenged the editor of PC Pro to return to Hotmail after six years of using Gmail, to prove that its webmail service had vastly improved — but the challenge backfired when he had his Hotmail account hacked. PC Pro's editor say he was quietly impressed with a number of new Hotmail features, including SkyDrive integration and mailbox clean-up features. He'd even imported his Gmail and contacts into Microsoft's service. But the two-week experiment came to an abrupt end when Hotmail sent a message containing a malicious link to all of his contacts. 'What's even more worrying is that it's not only my webmail that's been compromised, but my Xbox login (which holds my credit card details) and now my PC login too. Because Windows 8 practically forces you to login with your Windows Live/Hotmail details to access features such as the Metro Store, synchronization and SkyDrive,' he writes."

Re:weak password

[TJ_Phazerhacki]

Sure. But was it actually Hotmail that was hacked, or the way more likely cause of a non-unique password or existing compromise on his pc? Hell, I know script kiddies who would SALIVATE at the chance to make Hotmail look bad for teh lulz...

Idiot?

[cavtroop]

So, a fairly public persona publicly announces that he's switching to Hotmail to give it a go. And has a weak-sauce password:

(Update: For those of you inquiring about the strength of my Hotmail password – it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun. It’s not the world’s strongest password, and I can feel the parental glare of Davey Winder from 200 miles away, but it wasn’t that weak, either.)

And somehow this is Microsoft fault? He's just asking to be hacked, and with a weak password like this? *sigh*

that will be a death note to enterprise use

[Joe_Dragon]

Hotmail login same as windows log on and windows store with CC? WOW windows 8 may flop so bad that they have to have a windows 9 next year or a windows 7.5

Not uncommon

[krelian]

This is not the first time I hear about a hotmail account being hacked to send malicious links. I had a few friends with the same problem, always hotmail. It's possible there is a serious security problem with the service. And even if there isn't, logic should be in place to suspend account who start mass emailing their contact lists with suspicious links, it shouldn't be that hard to stop.

Re:that will be a death note to enterprise use

[Anpheus]

That's irrelevant though, and you're just picking a fight. I was responding to Joe_Dragon's completely inane objection to Windows 8 from a business standpoint, see his title: "that will be a death note to enterprise use". No, it won't be, and I explained why.

Do you want to engage on a debate on Windows Live logins as well? Because you should know before you start that the Windows Live login has minimum security requirements, doesn't appear to store the Windows Live password locally, and appears to follow some pretty damn good security practices. Now, I haven't fully verified all of these claims, but the login process for Windows Live login appears to use local passwords and certificates to verify the local account password against The Cloud(tm) when available. This is actually an astoundingly good process, as I don't think the hash of the Windows Live password is ever stored on the computer, rather, it can be used to access the local password, but I don't think physical access to a Windows 8 machine can possibly give you access to a user's Windows Live credentials. You can only gain access to local, unencrypted data.

There are bits of this I haven't verified, but are based off hunches of exploring the system and poking and prodding it. I haven't disassembled the login routines to verify what I think is happening is the actual process, but it appears that Microsoft has very much followed good security practices here. I was extremely impressed to notice that enabling Windows Live login merely downloads a certificate to the user's local certificate store (encrypted by a local password) and that other mechanisms appear to be in place to mitigate security risks.

Re:Yes, but other than that, how did you like it?

[FrootLoops]

How is this Microsoft's problem? The possibilities are...
      (1) A guy writing articles about his new email address used a relatively weak password and someone guessed it
      (2) He logged in on a compromised machine
      (3) Microsoft has a genuine security problem

The guy leaped right to (3), which seems the least likely to me. Since "my PC login" has also been compromised, (2) seems right. I can't help but feel this would have been pointed out long ago if the service were Gmail instead of Hotmail.

Before it gets quoted back to me, he justified (3) by saying

although I have to say from anecdotal evidence that Hotmail seems far more susceptible to account hijacking than Gmail.

That's a very weak argument--it's based on anecdotal evidence and ignores possible differences between user populations. You'd think the editor of a magazine would take the time to write a thorough article instead of a knee-jerk one.

Re:Yes, but other than that, how did you like it?

[Dan541]

From TFA

I set about trying to change my passwords. Hotmail was easy enough, but as that email address was also used as my iTunes login, I wanted to change that password as well. Except Apple’s changed its password policy since I last changed mine, forcing me to include a capital letter, a number, a set number of characters and a symbol from the Ancient Greek alphabet (I exaggerate only slightly). As my Gmail account was linked to that now compromised Hotmail inbox, I had to change that password too. So I now had three new passwords – all using slightly different systems – swimming round my slightly inebriated brain, and I can’t even remember the name of my news editor when I’m sober. If I’m still able to access my iPhone and Gmail account today, it will be nothing short of miraculous.

I'm curious to know how strong this password, used in multiple places really was.

Re:Yes, but other than that, how did you like it?

[tobiasly]

This is also very informative, at least for me, as it gives me one more reason to avoid Win 8 as i had no idea everything in their new appstore was tied to hotmail.

Haha no kidding. I wonder if they still delete your Hotmail account if you don't log in for 30 days or whatever. Because that would be awesome to find out all my purchased apps were inaccessible because they deleted my "inactive" account...

But how did it get hacked?

[SuperDre]

The main issue now is, how did it get hacked, as millions of users are using hotmail/live-platform daily without problems.. Maybe the reporter was a bit dumb and put his login-account details on a hazy-website for some reason (like an external importing app, or a maulicious App for his phone/tablet/whatever)..
It's not like an account can be hacked that easily (just as easy as a GMail account could be hacked)..

So the hacking of his account doesn't have anything to do with the service itself..