In potentially one of the largest security email breaches ever, a Web site may have allowed people access to millions of private Hotmail accounts.
If true, the Hotmail snafu is sure to reignite debate about privacy and security on the Web, as well as direct more criticism towards Microsoft, which owns Hotmail. The site, according to published reports, allowed any Web user access to people's Hotmail accounts simply by typing in a Hotmail's user name. Once the name was entered, the Hotmail account and their mailbox was easily viewed. Messages, in many cases, could be read or forwarded.
There are between 40 million and 50 million Hotmail users, according to market researchers, making it by far the largest email service.
The problem wasn't a small hole that only a technically adept hacker could exploit. With this hole anyone with access to a short HTML script, already widely circulated, could open Hotmail accounts. Reporters at Sm@rt Reseller found that Hotmail in-boxes could be viewed, and messages forwarded or deleted -- all by simply putting in a user name in the script.
Early details were sketchy, but the problem appeared to be the result of sloppy programming at the front-end of the service. Essentially, Hotmail was configured to accept as a valid user ID anyone's ID forwarded within a specific URL framework. The problem is that if you knew what that URL framework was, and inserted someone's else ID, then you could raid that account.
Microsoft, which has not commented on the reports, apparently took Hotmail offline by 9 AM PT -- it was inaccessible to all users, legitimate or otherwise. But the site was restored by 10 AM.
No other Web-based email services were affected by the problem.
Steven J Vaughan-Nichols and Jason Perlow contributed to this report.