The crime was obvious: A Swedish newspaper reported over the weekend that Web sites were posting instructions on how to walk right into Hotmail accounts. Anyone could type in a user's name and enter that person's account, no password necessary. Microsoft (MSFT) shut down the free e-mail service for several hours on Monday and put in a fix. The official word from Microsoft was that it had received no reports of account tampering. As for the bust, the media jury is still out on who did it and why.
It was unclear who launched the attack. The Wall Street Journal's unbylined account chalked the invasion up to hackers and left it at that. Wired reported that a hacking group claimed credit for discovering and releasing news of the Hotmail vulnerability. But the New York Times identified a programmer named Michael Nobilio as the creator of the software, saying that Nobilio had intended the mechanism as a convenience for Hotmail users, never expecting that it would be manipulated to allow illicit entry. MSNBC pointed to a hole in MSN's new Passport service as the culprit. Jon Thompson, Web site administrator for a site that had hosted the tunnel into Hotmail, told MSNBC's Bob Sullivan and a later report in Wired that the vulnerability had been known since Passport's beta version. Microsoft's official response is that the break-in is unrelated to Passport.
Wired dug deep and noted the discrepancy between when Microsoft says it learned of the bug (Monday morning) and when the Swedish newspaper Expressen claimed to have notified the company (early Sunday morning). A second story filed four hours later explored the possibility that the security hole was a "backdoor" left in Hotmail code by accident, a claim that Microsoft strongly denied: "There is nothing to these allegations," Microsoft told Wired's James Glave.
The Washington Post's John Schwartz was one of the few reporters to point out that the often-quoted figure of 40 million Hotmail users is surely exaggerated: Many Hotmail users have multiple accounts, and some use Hotmail accounts as throwaways. Analysis was generally in short supply, but Schwartz worked some into his coverage. "[The Hotmail dustup] is just one more instance of the fact that the fundamental infrastructure is full of holes. ... Things aren't designed to be secure, so how can you expect them to be secure?" security graybeard Peter Neumann told Schwartz. As to why Microsoft seems to get tougher treatment from both hackers and reporters, Neumann was philosophical: "There are a lot of fleas on the 500-pound gorilla."
Hotmail Hack: This Time It's Personal
The Industry Standard
Hotmail Accounts Exposed to All
Did MS Dig Its Hotmail Hole?
Hotmail Hackers: 'We Did It'
Hotmail Cracked Badly
Hacker Attack Hits Free E-mail Service
Microsoft Says It Has Fixed Huge Hotmail Security Flaw
Wall Street Journal
Hotmail Accounts Compromised
Hotmail Hole Exposes Free E-mail Accounts (Joe Wilcox)
Flaw Allows Hackers Into E-mail Accounts
New York Times
Hotmail Temporarily Shut Down (AP)