On this screen, one of the sites that could be used as a gateway, users were able to enter any Hotmail user name to access the account. Once the username was entered, anyone could send, read and forward e-mail from that account. Hotmail has over 40 million subscribers.  ALSO    Message Boards:    Hotmail    Online privacy    How do you define a hacker?    Sign up for the Computer Connection email service    For more computing stories VIDEO Science Correspondent Ann Kellan reports on the breach in Hotmail security Windows Media 28K 80K

August 30, 1999
Web posted at: 7:02 p.m. EDT (2302 GMT)

By Robin Lloyd
CNN Interactive Senior Writer

(CNN) -- Microsoft's Web-based e-mail service, and possibly the entire concept of free Internet mail, suffered a damaging blow to its integrity Monday when a security breach came to light that made it so anyone's Hotmail messages could be read.

"I have a Hotmail account," said Adam Bruce, an Atlanta computer specialist who monitors user groups frequented by hackers. "This scares the heck out of me. Now anybody and their brother can read my mail."

Web-based e-mail has been a hot item for even Internet novices since it became popular in the past few years. It is free and can be used on any computer with a phone or cable line to the Internet. Hotmail's primary competitor has been Yahoo! Mail.

The breach that surfaced Monday initially worked via several Web addresses, which simply prompted for a Hotmail username -- no password was needed. Once a username was entered, the Hotmail account appeared and the mailbox was available.

Microsoft shut those Web sites down, but hackers posted other Web addresses later in the day that gave entry to accounts. A game of cat-and-mouse ensued, with Microsoft claiming to have won by shutting down all back doors and manually checking all its servers for unauthorized access.

David Wagner, a computer security researcher at UC Berkeley, called the incident "really embarrassing" for Hotmail and Microsoft.

"I've always said don't use Hotmail for anything that is at all personal because we have no idea if they have any commitment to security," he said. "Now I'd say we know they have no commitment to security."

Wagner's advice is simple: "Don't use Hotmail for any e-mail you would be embarrassed to see as a headline."

By the day's end, Microsoft vowed that the incident would not recur.

"With this update we made changes that would prevent this from happening again," said Deanna Sanford, lead product manager for Hotmail.

"There are always going to be hackers out there and you can't make guarantees but we do our best that people feel safe and secure using our products."

Hotmail boasts 40 million customers. Yahoo! refused to give out its client numbers, but claimed it was not subject to the same breach that hit Hotmail.

Microsoft took at least several hours to respond

The exact cause of the Hotmail breach remained unclear Monday, but it endured at least for several hours after Microsoft learned about it.

The company learned of the breach in the early hours Monday, Pacific Daylight Time, Sanford said, via a report that originated in the Monday edition the Swedish newspaper Expressen.

The breaches via initial Web sites allowed CNN Interactive to open all accounts it tested through 11 a.m. EDT. But e-mail messages couldn't always be opened. Hotmail was down for nearly two hours Monday morning to respond to the initial situation.

By mid-day, most of the URLs or Web addresses that gave entry to Hotmail redirected users to a Microsoft security screen, returned an error message or returned "Forbidden" messages.

The sites had been situated all over the world but all used the same Hotmail gateway program.

Later another URL gave access to accounts for about an hour in the afternoon. Hotmail remained active but Microsoft shut down that hole within minutes of receiving the address.

In all cases, the breach allowed users to read and forward a member's old messages, read new messages and send e-mail in some cases under the name of the user -- assuming the member's identity.

Hotmail reportedly has had trouble with security breaches in the past -- including one that allowed hackers to swipe passwords.

All Hotmail users will receive e-mail from the service notifying them of the situation, Microsoft's Sanford said, and telling them that the trouble is over.

Internet security experts put the blame at the feet of Microsoft, although the breach involved the work of hackers.

The trouble with Web-based e-mail like Hotmail is users must trust a large company to store their private messages, Wagner said.

"It's a tempting site for hackers to hack. If they have one bug, if affects lots of people," Wagner said.

Richard Smith, a computer security specialist, said the fault for the security lapse may lay with Microsoft.

"It looks like a bug at the Hotmail servers," said Smith, president of Phar Lap Software Inc. in Cambridge, Massachusetts. "They are logging in through some sort of back door."

Bruce said the error came in Hotmail's failure to check for authentication if a direct Web address with a Hotmail username were sent into its servers.

At mid-day, a Microsoft statement indicated that hackers had gained access to its Hotmail servers to create the breach. But that was not the case, Bruce said.

"People have noticed a security breach and know the correct URL to tell the server," Bruce said. "The fault seems to lie in the Microsoft programmers that wrote the code for Hotmail," he said.

Wagner said one of the Web sites gave access to test servers for Hotmail that lacked firewalls. Sanford said that was one possible route to the accounts but servers were updated to prevent future unauthorized access.

Ari Schwartz, a policy analyst with the Center for Democracy and Technology, said the security hole in Hotmail was troublesome because Web-based e-mail is a good privacy solution for people sending personal e-mail at work. But no e-mail is totally secure, he said.

"There is a question of how secure you can make any e-mail system," Schwartz said, "especially if people are trying to hack it all the time."

At this point, there is no legal precedent to protect e-mail users from privacy violations, said David Sobel of the Electronic Privacy Information Center.

"It's not clear that a Hotmail user whose privacy has been compromised really has any recourse against Microsoft for what might be found to be negligent engineering of this feature," Sobel said.