shahine.com/omar/

homepage | Send mail to the author(s) contact

yet another Microsoft blogger

# Sunday, February 10, 2008

« Back to Carbonite | Main | Vista SP1 »

What will you do when it happens to you?

Data Loss? Been there, done that.

Windows Live ID hijacked? Replace Windows Live ID with Google or Yahoo ID.

What do you do when some one:

  1. hacks into your account
  2. changes your password
  3. changes your secret question
  4. changes your "alternate email address"
  5. changes all your profile information
  6. sets up mail forwarding to another account
  7. Turn on the exclusive junk filter (deleting all your email)
  8. Deletes your life (email, contacts etc)

That is what I found this evening. I believe that some one managed to issue a password reset command to my account and then somehow logged in and reset my password essentially owning my data.

How did they do this? Like this for example.

Not sure how this happened to me since my Hotmail password is strong, secure, unique etc.

But right now I am totally and uterly hosed.

Luckily I have my email offline (Outlook Connector).

But I feel like crying.

The amount of personal information in my email account. Just think about what is archived "in the cloud" under the username and password of a single network.

Now thing of how you would feel if you found out that some one else had all that information. Just think about that for a second. What do you have in the cloud? What kind of personal information is up there?

Lucky for me I could make some phone calls and get my account access restored. But I am feeling extremely vulnerable right now.

update: my account just got hijacked again, minutes ago. Also so did my GMail account.

I have no idea WTF is going on here. I have only used one computer this entire time.

Also the attacker changed my First and Last name in passport to:

"hey omar i can access all your email

you omars@micro dont paly with me aigne"

Personal
Posted Monday, February 11, 2008    Permalink    Comments [25]  View blog reactions

Related posts:
Cooking for Geeks
The days are long, but the years are short
The Circus of Airport Security
Monterey Aquarium
OMAR vs MSFT in 2007
Leopard Cat

 

Sunday, February 10, 2008 10:02:29 PM (Pacific Standard Time, UTC-08:00)
It seems like this attack is doable because hotmail switches to HTTP after authentication. Is there a way to force it to alway use https?
Paperino
Sunday, February 10, 2008 11:10:48 PM (Pacific Standard Time, UTC-08:00)
Somebody is trying to do that very same thing to me at the moment. I keep getting the "reset password" e-mail from Windows Live, indicating someone is trying to hijack my e-mail.
Jesper
Sunday, February 10, 2008 11:58:16 PM (Pacific Standard Time, UTC-08:00)
Damn sorry to hear this Omar. With more and more services being tied into online ids this is a good wakeup call that identifty theft isn't just limited to your typical government ids.
Chris
Monday, February 11, 2008 12:03:13 AM (Pacific Standard Time, UTC-08:00)
Something similar happened with my gmail account. Was deleted, Google doesn't care
Liam Daly
Monday, February 11, 2008 4:00:36 AM (Pacific Standard Time, UTC-08:00)
Omar,

Please share a post-mortem on this if you are able. I'm having a sympathy heart-attack just thinking about it... What a disaster. aigne is a gnats eyeball.

*shiver*
Sean
Monday, February 11, 2008 6:14:18 AM (Pacific Standard Time, UTC-08:00)
This is ugly. I would probably cry, then restore my gmail data from OSX Time Machine (I sync via IMAP).

This has me spooked.
Doug Ransom
Monday, February 11, 2008 6:28:55 AM (Pacific Standard Time, UTC-08:00)
I too recieved a password reset email in my inbox last night.

Jon
Jon Thompson
Monday, February 11, 2008 6:30:43 AM (Pacific Standard Time, UTC-08:00)
This is horrible and I'm sorry it happened to you. There's an enticing convenience of storing everything in the cloud but hearing your story and realizing the cost of losing EVERYTHING - I'm becoming increasingly sceptical.

That said, in a weird way, I'm glad it happened to someone in the Windows Live Mail team. Windows Live needs to distinguish itself by virtue of having or offering an option to users of using enhanced security. Examples:

1) Default HTTPS sessions.

2) PIN requirements (e.g. the ING random 4 digit PIN).

3) We need technologies like SiteKey to prevent anti-phising login pages.

4) We need basic information provided after logging in to display last login time, last login date, logged in from ...
Leo
Monday, February 11, 2008 6:44:23 AM (Pacific Standard Time, UTC-08:00)
Could it be an inside job? Maybe you pissed someone off internally?
grasso
Monday, February 11, 2008 7:03:33 AM (Pacific Standard Time, UTC-08:00)
Do you run as admin? If so you might want to check for a keystroke logger on your computer.
Jason Haley
Monday, February 11, 2008 7:55:40 AM (Pacific Standard Time, UTC-08:00)
Maybe an Alaska Airlines employee. :-)

That totally sucks. Please let us know how it works out. I just recently switched my domain email to Google Apps and this doesn't make me fell all warm and fuzzy.
Derek
Monday, February 11, 2008 10:41:14 AM (Pacific Standard Time, UTC-08:00)
Man this sucks, to lose one account is bad enough but to take your Hotmail & Gmail in one go is terrible. Is it possible the former contained information on the latter, or that you used that to activate the gmail?

I hope that any damage caused is at worst reversible, I'm about to go through a check all my online email for stored credentials and remove it.

Best of luck.
Shaun Bohannon
Monday, February 11, 2008 10:55:06 AM (Pacific Standard Time, UTC-08:00)
Do you run as admin? If so you might want to check for a keystroke logger on your computer.

I agree with this comment -- check your computer extensively for keyloggers and targeted spyware. Blocks all outgoing traffic and see which programs pop up requesting a connection.
Yakov
Monday, February 11, 2008 6:18:33 PM (Pacific Standard Time, UTC-08:00)
Maybe it's time to loop in MSRC...
Dennis Cheung
Monday, February 11, 2008 7:20:27 PM (Pacific Standard Time, UTC-08:00)
I've been getting password reset emails for the past 3 days. It seems that account is under the same type of attack. I'll save any important emails in case I succumb to the same thing. Haven't installed anything recently that could possibly be infected and neither my av scanner nor firewall program show anything suspicious. Since I don't use this particular account publicly, I'm beginning to wonder how it was even found out.
Mahlon P
Tuesday, February 12, 2008 9:30:35 AM (Pacific Standard Time, UTC-08:00)
I'm not entirely sure that this has also happened to me, but I do know I lost my account mysteriously, and Live Support was only able to tell me that 'my account info doesn't match, so they can't help me'. It was entirely frustrating, and I ended up abandoning trying to recover it.

I would be very interested to know if this is more widespread than just people at the top, and a few random users.
Austin Lee
Tuesday, February 12, 2008 2:20:28 PM (Pacific Standard Time, UTC-08:00)
I've had several Hotmail password reset emails myself recently and I've only had the account a few weeks.
Rink
Tuesday, February 12, 2008 9:52:38 PM (Pacific Standard Time, UTC-08:00)
There is an inherent vulnerability in leaving the data we need "in the cloud". Frankly I see the growing number of "tech pundits" advocating people leave all their data in Gmail as a form of group insanity.

To make it worse, one of the advantages advocated is the ability to check your email "from anywhere". I'll say it simply - you are absolutely nuts if you login to your important accounts from an unknown (and thus untrusted) computer. I don't mean you Omar, just in general.

Local copies of all my data, backed up in multiple places. There is simply now way to be too careful.
Soulhuntre
Thursday, February 14, 2008 5:01:56 AM (Pacific Standard Time, UTC-08:00)
I hope you can find out how you got hacked. Btw, I want to point out to other issue I found. Please talk look at screenshot on this page:
http://n-blue.nblogz.net/oh-windows-live-hotmail/

I senta and email with attachment (less than 10 MB. I set to save every mail I sent in Sent Box. After I sent that email I got an issue which shown in first shot, while I only used 1% for space.
n-blue
Saturday, February 16, 2008 2:54:04 PM (Pacific Standard Time, UTC-08:00)
Omar,

As a long time reader of your blog, two things about this make me shudder as I ponder life "in the cloud." One, if it can happen to you, now, what chance have the rest of us? And two, should it happen to us, will our resolution be as simple as making a phone call? I figure regaining access to our data will be far more difficult for Joe Blow than for a lead programmer for Microsoft.
Ian Lott
Monday, February 18, 2008 8:56:42 AM (Pacific Standard Time, UTC-08:00)
Omar, I was just wondering if you guys figured out who did this. Obviously the Admin guys will have a log about the date, time, etc when a password reset command was issue.

Just a bit off topic, this is also why you shouldn't have too much personal info on your email account at work. One day you boss can decide that you are no longer an employee and and tell IT to change your password (and give it to him). He'll spend the next month going through all the bad things you said about him as well as your calendar, contacts, etc.

I hope MS security tracks whoever did this and take swift legal action against them.
Mahin
Monday, March 03, 2008 7:16:55 PM (Pacific Standard Time, UTC-08:00)
So why doesn't Hotmail offer HTTPS for the entire session? That would seem to mitigate the issue you linked to.
Wondering
Saturday, March 15, 2008 12:21:13 PM (Pacific Daylight Time, UTC-07:00)
My Hotmail account was hijacked as well about 36 hours ago. I've had the account since 1999, so you can understand how all my contacts and all my emails for the past 9 years have been lost. It has now been more than 36 hours since the hijacking and after 4 email requests to Hotmail support I still don't have a reply (not even a courtesy reply). I guess the term Free Hotmail Account in legal terms means: We are not legaly liable, therefore, we don't really have to help you get your account back.

Sorry for the venting, guys, but I had to change all my passwords and contact info for all my credit cards, bank accounts, social websites, etc., and I am not happy right now.

And in case you are wondering, I am an IT professional too, and this happened to my home PC, which is fully protected (and my password was alpha-numeric, not a weak passworrd).

If you know of any way that I can poke Hotmail Support Staff's interest in this, please let me know.
Sakis
Thursday, March 20, 2008 2:34:51 PM (Pacific Daylight Time, UTC-07:00)
The best thing I've found to not worry about this crises is to have access to a restoration service that handles the problem and keeps me in the loop as much as I need to be. I get the information I need and don't invest so many hours fixing the problem.
FD
Thursday, March 20, 2008 3:32:27 PM (Pacific Daylight Time, UTC-07:00)
FD: What type of service are you referring to? Can you provide examples?
Sakis
Comments are closed.