Hotmail and other Live services are popular targets for hackers, being very large as a result of their direct backing by Microsoft, who require an account for full use of things like Windows Phone and the Xbox 360. Many people have Hotmail accounts from years ago when Hotmail was the must-have service, such as myself, and rather than maintaining two Live accounts, one registered with a newer email, persist in keeping a single Live account. I actually did check to see if you could change your Live ID in the options and found that under the Account section
the listed Windows Live ID has a Change button
, but this leads to an error page saying it's not currently available. Whether this is temporary or just not currently supported, I don't know, but check for yourself if you wish to switch your Live ID off the Hotmail address. Why, you ask? Well Hotmail was recently subject to a particularly nasty exploit which allowed anyone to commandeer a Hotmail account without access to your listed recovery address, phone number, or security question.
Hotmail is a big target for spammers and hackers alike, so it's only to be expected that the large scrutiny it's subjected to will eventually yield vulnerabilities to some enterprising individuals, just like how flaws are periodically discovered and patched in Windows through Windows Update. For many people though, their Hotmail account is something they just have for use of Microsoft services, and little attention is paid to it otherwise. If you don't do things that require regular logins to the Live service, you may not even notice that your account has been compromised quickly, and the more time a hacker has inside an account, the greater damage they can do and the more opportunity they have to make it difficult to recover the account later. So before I go on about exactly what happened, I suggest you check on your Live account and ensure you can still login to it.
This particular vulnerability exploits the reset token sent to a recovery email listed in the account. Normally this would require the hacker to have compromised this outside account first, but a Firefox extension called Tamper Data
, recommended for security testing your own websites, gives hackers an easy tool to modify HTTP header
data, basically allowing the hackers to spoof the authentication required to reset the password. They can then set the password to whatever they like, which allows them to alter any other protected information within the account which would normally allow you to recover the account automatically. A fix for this particular exploit was released within hours of Microsoft becoming aware of it, but it existed for weeks beforehand; no exact numbers of how many accounts have been hacked have been released, but this particular exploit quickly became popular in the hacking community. Once again, I cannot stress how important it is that you ensure your account was not compromised. This particular exploit is very difficult to combat if they hacker knew what they were doing, so time is of the essence. Here's the Microsoft guide on how to recover an account
. The reset password dialog does offer a trusted PC and Customer Support option (the former may not work if the hacker was smart enough to remove your computer), but if for any reason none of those options works for you, here is Microsoft's general contact page