Friday, April 29, 2011

Hotmail, xbox and microsoft live have been hacked.

update: hotmail have added a my friend has been hacked button, so people can report when one of their friends accounts have been hacked. Also I got my account back after 5 days or so. I don't think any of my contacts lost any money from the scam. Other people who got their accounts hijacked have not been so lucky.



Many people have been having their hotmail accounts been broken into and stolen.

Microsoft writes about it on their security blog.

I've meet a few people over the last week who know of people who have had their accounts stolen.

The fraudsters are sending everyone in their contact list and telling people they have been robbed - and to send money. They say they are in a hotel and the hotel will not let them leave.

A friend told me about how some people call up, and someone answers pretending to be the hotel manager mentioned in the scam email.


I haven't read any media coverage of this, but have heard first hand of people who it has happened to. Could this be related to the Sony break-in the other week?


Unfortunately Microsoft do not seem to answer when contacted about accounts being used for fraud. Their account reset procedure is so slow that by the time an account is recovered the damage could very well be done.

Microsoft are also recommending people create new hotmail accounts rather than go through the verification process to recover a stolen account. Unfortunately this is a rather dangerous attitude to take, since many people have been sent emails and all of the people in the contact list could be victims of crimes.


The xbox live network uses the same authentication as hotmail and other Microsoft online properties and stores. Microsoft uses a single sign on system - so this is a very big security break down.

I have no idea how large the break-in is. However, if I hear about multiple people in real life having their accounts stolen then I think this is MASSIVE.

Sony took their system offline whilst they investigated the hackers. I'm not sure what if anything Microsoft has done.

Please spread the word, and warn others about this break-in.

Example scam email

Here is an example of one of the emails they are sending out:
Subject: My Plight!!! Help

I'm sorry for this odd request because it might get to you too urgent but it's
because of the situation of things right now, I am stuck in United Kingdom .
we were robbed at the park of the hotel where we stayed,all cash,credit card and
cell were stolen off us but luckily for us we still have our passports with us.

We've been to the embassy and the Police here but they're not helping issues at all
and our flight leaves today but we're having problems settling the hotel bills and
the hotel manager won't let us leave until we settle the bills.

I need a quick loan?? promise to refund it back once i get home.

2 comments:

freitasm said...

That's is very different. It's an account hijacking, not someone breaking into Microsoft's database...

Thius happens people gives their password to third parties. Or when they use weak passwords. Or the same password and email address in other sites that were broken into.

It's happening for years.

Nothing with "have been hacked"...

illume said...

Sure, if you believe the ms spin.

There is widespread hacking of hotmail accounts. They mention it on their security blog, and have begun increasing security.

Unfortunately they have not given any warnings to their users.

They are simply not prepared for the types of modern attacks being used against them.

Things like firesheep for example can be used to take over hotmail accounts for people who do not use the new https with hotmail, and do not use the new two factor authentication.

The fact is some group has gained access to a massive number of ms accounts, and is committing fraud on a very large scale.

It's not the same as what has been happening for years. New attacks are being used to hack into microsoft accounts.

MS has been caught with their pants down, and are blaming users.

More people need to know about the widespread new attacks that are being used against microsoft accounts. Since ms do not seem to be notifying their users.