Home / Blogs

Yahoo, Gmail, Hotmail Compromised - But How?

One of the bigger news stories is that of 10,000 usernames and passwords of Hotmail users were posted this past week, victims of a phishing scam. From Computerworld:

If (technology blog) Neowin’s account is accurate, the Hotmail hack or phishing attack would be one of the largest suffered by a Web-based e-mail service.

Last year, a Tennessee college student was accused of breaking into former Alaska governor Sarah Palin’s Yahoo Mail account in the run-up to the U.S. presidential election. Palin, the Republican vice presidential nominee at the time, lost control of her personal account when someone identified only as “rubico” reset her password after guessing answers to several security questions.

Shortly after the Palin account hijack, Computerworld confirmed that the automated password-reset mechanisms used by Hotmail, Yahoo Mail and Google’s Gmail could be abused by anyone who knew an account’s username and could answer a single security question.

The BBC reports that Gmail and Yahoo were also targeted.

It seems unlikely to me that this would be a hack where someone would break into Hotmail’s servers and access the account information that way. It is much more likely that the spammers got the information by social engineering. Why is this more likely? For one, they’d have to get past all of the firewalls and security measures that Microsoft/Hotmail have to keep intruders out. While not impossible, it is not easy.

But secondly, even if a hacker/spammer were to break in and steal the account information, it is very unlikely that they could access the associated passwords. Passwords are not stored in clear-text, they are stored encrypted using a one-way hash. Actually, firms with good security store them this way; while I don’t work in Hotmail, I am pretty certain that they would do the same because it is standard Microsoft policy. The point is that a hacker couldn’t get a user’s password because all he would have access to is a text string that wouldn’t work when entering it into the web portal. This suggests that the spammer tricked the user into handing over their user account and password through some other mechanism.

Whilst I suspect social engineering, I do not suspect security-question guessing. Note that while vice-presidential candidate Sarah Palin had her account hacked by somebody guessing her login information, this is not a scalable model for spammers. Palin is well known and you could possibly guess her information simply by reading about her online. But to access 10,000 accounts that way is too time consuming and the people you are hacking are unknown to you. You wouldn’t be able to guess their information, other than by chance. Random guessing is useless.

So how did this hacker acquire this information?

The general consensus is that these were victims of phishing scams, most likely involving social engineering. It would look something like this: the Hotmail user receives a spam message in their inbox, probably a message that looks like it is coming from Windows Live. There is some call to action wherein the spammer says that Hotmail is upgrading their infrastructure and requires users to login to their account and verify their credentials. Furthermore, there was probably some bot attack that broke Hotmail’s CAPTCHA service on the sign up page, so these spam messages were sent from Hotmail internally. These types of spams can be more difficult to filter than when it comes from another service. So we have Hotmail users spamming Hotmail users, possibly with a From: address like “Windows Live Mail Security <live.security.something@...>”. Some users did not recognize that this was a phishing scam, entered in their credentials and the damage was done.

That’s one likely scenario.

The problem is that there are so many other possible attack vectors. Here’s one: spammers don’t have to target Hotmail users via a phishing scam. Notice that not only Hotmail users surrendered their credentials, so did Yahoo and Google users. You don’t have to fall victim to a phishing scam. A hacker would have a difficult time hacking Yahoo, Google and Microsoft directly, but what if they attacked an online discussion forum? Or a blogging service? Many websites around the internet allow you to login to their websites using your email address as the username. How many people use their email address… and also use the same password? If a hacker were to break into an online forum, one with much less security, they could count on the fact that users tend to reuse usernames and passwords. Hackers get to take advantages of statistics - given enough people, some of them will be hits (i.e., same username/password combination).

BBC News confirmed that the accounts are genuine and predominantly originate in Europe, so I’m willing to bet that some discussion forum in Europe had its users usernames and passwords stored in clear-text and were broken into, and information stolen. They then went and verified which ones unlocked the users’ accounts and discarded the rest. They then posted them online for all to see.

But that’s not the only possibility. According to the Microsoft Security and Intelligence Report, the rates of piracy in eastern Europe are higher than western Europe and the United States. So, if BBC News confirmed that the accounts are predominantly in eastern Europe, what if the following occurred:

Some users, running older copies of Windows XP were downloading music and happened to download rogue software. These users don’t always keep their systems up-to-date, so the rogue software sat around on their computer for a while. It is designed to capture login information to major web portals, so when these users then check their web mail, it is captured by the virus and relayed back to the command center.

I admit that scenario is much more far-fetched and less likely than the other two. But the point is that the attack vector for how this could have occurred is very wide and tracking it down to its source is quite difficult, indeed.

By Terry Zink, Program Manager

Filed Under


Exactly... Joseph A'Deo  –  Oct 9, 2009 8:16 PM

How many people use their email address… and also use the same password? If a hacker were to break into an online forum, one with much less security, they could count on the fact that users tend to reuse usernames and passwords.

Exactly, which is why we’ve been pushing (I work @ VeriSign) for encryption solutions and consumer protection devices like two-factor authentication to be seen as a necessity wherever private information is being used (be it a routing number or a simple log-in credential). If all those hotmail accounts had required a token to authenticate, the leak would have been a non-issue.

In the meantime, however, obviously the solution is to vary passwords and be on the look out for phishing attempts, but where forums are concerned it’s tricky business. Maybe some kind of standard, federally mandated log-in system is the answer, as “big brother” as it sounds.

Joseph,Your post underplays the importance of education Alex Tajirian  –  Oct 10, 2009 4:57 PM

Joseph, Your post underplays the importance of education and ignores risk management. Education on the customer side involves differentiating between phishing and legitimate emails. Phishing solutions and discourse have emphasized the former. Nevertheless, eBay or your bank can legitimately send you an email about a credit card discrepancy. However, the emphasis on phishing can automatically lead to deleting such email, which can be hazardeous to your health. Risk management at the corporate level has to first answer whether to secure or insure. Nevertheless, implementation requires education and coordination.

Last scenario may be most likely not least likely Kerry Brown  –  Oct 10, 2009 3:00 PM

A lot of malware looks for logon screens and passwords.


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix


Sponsored byVerisign

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byDNIB.com