How Bad Was the Hotmail Disaster?

"For those who use the web-based HotMail free e-mail service, the following code will save you several minutes each day." With these innocent words, posted to the newsgroup comp.lang.javascript on January 4, a well-meaning computer programmer is believed to have set in motion the worst privacy disaster in the short history of the Internet. Yesterday a Swedish newspaper called Expressen published the programmer's work, a simple utility designed to save time by allowing Hotmail users to circumvent that pesky password verification process when logging into their accounts. The result? As many as 50 million Hotmail accounts were made fully accessible to the public. Now that the damage has been done, what have we learned?

It wasn't until the lines of code appeared in Expressen that people realized how vulnerable Hotmail really was. The utility allowed anybody who wanted to to create a Web page that would allow them log into any Hotmail account. Once the word was out, dozens of pages such as this one were created to take advantage of the security hole. Unfortunate programmers at Microsoft, which owns Hotmail, were rousted out of bed at 2 AM Pacific time to address the problem. By 9 AM Hotmail was offline. Sometime yesterday afternoon hackers reported that the security breach had briefly re-opened, but by the end of the day it had been closed for good, according to a statement posted by Hotmail on its site. MORE >>