Microsoft rushes out fix after hackers reset passwords to hack Hotmail accounts

HotmailMicrosoft says it has fixed a serious vulnerability in Hotmail, that was allowing hackers to reset account passwords, locking out the account’s real owner and giving attackers access to users’ inboxes.

News of the critical bug spread rapidly across underground hacking forums, and Whitec0de reported earlier this week that hackers were offering to break into any Hotmail account for as little as $20.

It appears that the vulnerability existed in Hotmail’s password reset feature. Hackers were able to use a Firefox add-on called Tamper Data to bypass the normal protections put in place to protect Hotmail accounts.

According to some reports, Moroccan hackers were actively taking advantage of the vulnerability and planned to reset the passwords of a list of 13 million Hotmail users in their possession.

Sign up to our free newsletter.
Security news, advice, and tips.

Numerous videos, many of them in Arabic, have been posted on YouTube demonstrating how the flaw could be exploited to gain access to Hotmail accounts.

HotmailOf course, hackers aren’t just interested in breaking into email accounts out of curiousity or because they want to read your spam.

No, they’re also interested in stealing your identity and perhaps using an email account hack as a method to crowbar their way into other online accounts under your control.

What isn’t known is just how many of Hotmail’s 350 million users might have been impacted by the serious security vulnerability – Microsoft certainly isn’t saying.

But if you’re worried, there’s an easy way to check.

Hacked Hotmail accounts would have had their passwords changed to something else – so if you are no longer able to access your Hotmail account it’s possible (although by no means definite – there may be other reasons, of course) that your email account fell victim to this attack.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.