I think you’re right. They didn’t get it through a keylogger or phishing scam. My password is not dictionary-based and I used numbers and mixed case. That tells me they have a rather sneaky method, whatever it is. I’m inclined to think it’s within Windows Live.

That it’s still occurring tells me just how much Microsoft cares about it.

Hmm… “phishing attack”, eh?

More here – although I suspect the latter really is from phishing.

There’s a problem here – publishing the list (account names only, obviously) allows affected users to discover that they’re compromised, but also gives a list of valid accounts to ne’er-do-wells. Immediately taking the list down, though, doesn’t allow people to check whether they’re affected – and I’ll bet that most people won’t bother to change their passwords if there’s not a proven need.

Perhaps what’s needed is a two-password system and allowed IP list. If you’re connecting from a previously-allowed IP address, then either cookies are used to automatically log in or the primary password is accepted. However, if the connecting IP address isn’t pre-vetted (or even is outside of the home county/state/country/continent using geo-IP services) then auto-login with cookies is disallowed, and the secondary password has to be entered after the primary password is authenticated. Users could even have the option to disallow connections from non-vetted IP addresses until confirmed with a second factor… perhaps SMS confirmation, a smart-card, or a RSA-type token.

So long as the service doesn’t already leak like a sieve (and yes, I’m looking at Microsoft here) then this dual-authorisation system should give significant additional protection.

Just think of the economies of scale possible with a user-base the size of Microsoft’s or Google’s – either could offer a subsidised token to customers for little or no cost. There’s lots of issues around logistics and handling lost/replacement hardware – but, especially for Google with its Checkout service, the ability to roll out two-factor authentication universally would have to be a huge advantage over competitors such as Paypal.

I have spoken to Microsoft once more and they are compiling my data. They want to continue discussions regarding procedures for complaints handling for UK Hotmail customers and realise there is a gap in customer service procedures in this respect and dealing with data protection requests. Proof is in the pudding, we shall wait and see

Regards

Mark

If anyone has been a victim of their hotmail account being compromised, make the complaint initially through the website and as soon as you get a response send the following message in reply and most important of all include the following email address. csfeed@microsoft.com (contact from hotmail support), I (your name) request that you disclose the following information relating to myself under the data protection act 1998 and under the act you have 40 calendar days in which to comply. If you require any further verification of my identity I will do so by post to the UK offices only, however it does not give reason for not compiling the information requested.

Sincerely

If they come back with the ECPA tell them it does not apply as you are a UK resident and that request is discriminatory further more you will not extend the deadline and give the date.

Reagrds

Mark

Microsoft UK legal has not responded, I am proceeding with the complaint with the ICO, what they will now realise is that I don’t bluff and will sink my teeth in and won’t let go. I have given Microsoft UK 40 days to supply every bit of information they hold on me under the data protection act on top of my original hotmail request.

Regards

Mark

Just had a conversation with the UK specialist, their legal department has the matter in hand but has failed to respond. They have been given until the end of today to respond with a time period or issue a notice for the decline of request. If they do not respond with a time period or decline the request, the pursuance of the complaint will be made on Monday’s start of business. I have a contingency plan running along side, but those details will be held back for the time being as it is always best to keep a few cards up your sleeve.

Regards

Mark

Microsoft are backing down and are entertaining my request for the moment. I received an eleventh hour telephone call from a UK escalation specialist from the response management team, they have asked for a little more time and I have given them an initial 48hrs in agreement with the ICO in which they must give a realistic time for the delivery of information. So let’s see what happens next.

Later

Mark

Got hit by trojan email this morning with a lik to a company in China. IP address was in Westfield New Jersey. Antivirus altered the problem in Live Mail but I could not delete it. Problem, I managed to delete it via the site, but no warnings or flags I forwared it to Microsoft for them to examine with all the source code but it freaked out Live Mail again when it synced. and I had to delete it from my on site sent box. I shall be monitoring my account once more and this looks like another vunerabilty incident that needs to be resolved

Later

MD

Pass this on to as many people as possible. Microsoft needs to learn that being an internation company means international laws apply, not just the US laws, laws in every country in which they or their agents operate. If you have a problem with data and microsoft, make the demand through the local office in your country of residence or citizenship, once this has been done, the laws of data pertaining to that country apply regadless of what Microsoft say. Good Luck

A bit of interesting news for you. The same thing happened to me and Microsoft are stonewalling the issue. Their terms and conditions come uner the TRUSTe European Safe Harbour agreement and they belong to the scheme. Microsoft also subscribe to the data protection act in the UK. I am a UK citizen and I am registered with Microsoft in the UK. Microsofts terms and conditions point out that they may share your information with other Microsoft subsiduries and affiliates outside your country. That means means that the information is accessable from any point in the world by any one of their subsiduries are the material has been passed through them through the network. Important issue, the laws in which the country you are registered apply and you should seek that route. Microsoft are discriminating against non US citizens and cannot be allowed to do so. I have made an official complaint with the ICO in the UK and TRUSTe stating that they are in breach of the privacy agreement and in my case UK law prevails over US law. The ECPA is a get out clause for something for covering their backsides and I am willing to take it all the way My account was accessed and all I wanted to know what was viewed and downloaded from the IP in China and how the account was accessed. Gues what, they asked me to sent an email with personal information on it.. There is a serious problem and the proverbial is about to hit the fan. I have a few more days toi go befoore the legal dealine runs out. Keep watching.

Oh and I had adaware, spybot and AVG running when it happened, no dodgdy sites, cookies or emails were received. Microsoft are running scared and want to make a federal case out of it.

Later

MD

I share your pain on this one – all attempts to get any sort of answer from the Windows Live support service has been met with silence of a stock reply.

Did you change your password when your account was compromised the first time? Did you choose a strong replacement?

If so, then the fact that the system has been compromised again so quickly would suggest to me that it isn’t that passwords are being cracked, but that there is some form of vulnerability whereby accounts can be accessed without a password, or whereby passwords can be discovered by a third-party.

Until Microsoft acknowledges the problem, there’s little can be done save for closing the Windows Live Mail account itself, and moving to a different provider.

Since cracking this number of passwords around the same time seems highly improbable, this would strongly suggest that there is some vulnerability in the Windows Live infrastructure which either allows access to accounts bypassing the login mechanism, or allows access to account passwords.

The most worrying aspect is whether the attacker can then view all account information, passwords, mail, etc. – or whether they’re limited to address-book access and sending messages only?

Thanks for your info/blog on this.

All I can suggest is to migrate to a different email and IM provider… not necessarily immensely practical, but with Microsoft unresponsive it’s the only way to be safe.

Thank you for writing to Windows Live Technical Support. My name is Faye and I understand that you want to know how can a third party access your account. I apologize for the inconvenience this may have caused you.

I could not confirm whether an unauthorized individual accessed your account or provide you any information about who may have done so, as all Windows Live Hotmail member information is confidential. I can only release it to law enforcement officials when served with a subpoena or criminal search warrant, in compliance with the Electronic Communications Privacy Act (ECPA).