Hotmail Accounts Getting 'Hijacked,' Microsoft Says

Microsoft pointed to e-mail account "hijacking" as becoming an increasing problem, especially among Windows Live Hotmail users.

In a blog post on Monday, the company warned that some Windows Live Hotmail users have noticed that their accounts have been "hijacked" by spammers. Users can log into hijacked accounts, but they unwillingly share them with a hacker.

According to Microsoft, a hijacked user account would allow a hacker to send e-mails to the user's contacts, which could result in both the user and those contacts unwittingly downloading worms onto a workstation. From there, such malware can spread to the network. 

Windows Live Hotmail, the e-mail service that powers Office Live Small Business, and other services such as Google's Gmail and Yahoo Mail, may be vectors for such attacks.

Security experts say this vector is among the most common client-side entry points for malware. Users are more likely to open and act upon an e-mail out of curiosity and then click on a link. They're also more likely to open an e-mail from someone they know.

The value of stolen or hijacked e-mail accounts has always been huge, according to Paul Henry, security and forensic analyst at Lumension.

"Initially, all you needed was to brute-force the user's password," he said. "Now, when you factor in the automation and organization of today's cyber criminals, seeing mass hijacking of e-mail accounts is simply a regular occurrence."

Randy Abrams, director of technical education at ESET, suggested that users of Microsoft's online services need better security information.

"Where Windows Live was correct in advising to obtain the most recent virus definitions, a nontechnical person at Office Live translated that to 'stay up-to-date on the latest computer viruses going around'," he said. "[But] staying up-to-date on the latest computer viruses doesn't really help. You need to understand the concepts to avoid them. There are too many new threats to keep up with them all."

Symantec's "State of Spam Report" (PDF here), released earlier this month, found that spam accounted for 89 percent of all e-mail messages in July. The spam rate for August was even more dire, according to a recent MX Logic report, which found that up to 94.9 percent of all e-mail messages were spam.

Spam that delivers images and links continues to have an impact, accounting for 17 percent of all spam in July, according to Symantec's report. A new version of "419 spam" has appeared in which "spammers tried to exploit VoIP services," according to Symantec. The company describes 419 spam as a message that alerts users about money they supposedly either inherited or won.

Adam O'Donnell, director of emerging technology at Cloudmark, said spam is growing rapidly and is increasingly targeting free e-mail sites. O'Donnell said password integrity at the user level and strong access control policies at the enterprise level can reduce risks.

"Hijacking [free accounts] is a common occurrence, and it is becoming more frequent as other vectors for sending spam are reduced," he said. "Users need to use strong and unique passwords on every Web account to help stop these kinds of attacks."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus

Reader Comments:

Wed, Aug 15, 2012

My hotmail e-mail account was hacked and the hackers are out of Saudi Arabia. They are sending e-mails to all my customers accounts asking for money.. I have reported this to microsoft as they are the hotmail providers. now all my business can do at this point is damage controll as our reputation is at stake.

Wed, Apr 27, 2011

Presumably emails are being recieved that look like they are from YOU. Folks should be aware that there are **2** ways that can give this appearance: (1) the sender simply spoofs your email address but uses his/her own server, etc ... in which case they would not have your address list but use their own address list. OR (2) the sender has truly hacked into your mail account by figuring out the password. There's not much anyone can do about the first one except encourage your friends to NOT put all their friends into the TO: line of broadcast messages - in favor of the BCC: line so that the addresses are hidden. It's only the second one that's a true hijack IMHO.

Mon, Mar 21, 2011 Debra Edmonton Alberta Canada

I've had this problem in my Live mail accounts (2 of 3 that is) for months. I have also had the same thing happen to my Yahoo account but it's only happened once. The Live Mail accounts is on-going. I've changed passwords, taken out all my contacts, scanned with lots of programs and still can't find a solution. Now I know why Microsoft didn't reply to my problem. How do we FIX it?

Sun, Mar 20, 2011 len apter

It beginning to look like MSN, themselves, are causing this mess, because, frankly they give a rat's ass about the free accounts. Yes, I am a conspiracy theorist

Tue, Nov 16, 2010 Judy Washington State

My email account was hijacked yesterday. The same letter from London asking for money has been sent out to all of my contacts (hundreds).Oddly enough my Facebook page password was also taken so I can't change anything there either. I do not have access to my hotmail account now, or my facebook, someone else does and is using it like crazy. I think that the hacker got into facebook and from there they were able to get my email address and somehow stole and then changed my passwords. My password was long and was combined with numbers. I never open spam or anything I am not sure of.

Sun, Oct 31, 2010 maxine

my e mail .hotmail was hijacked and everything on my computer, photos, documents microsoft office, desktop all info about my puter were included in an e mail when i sent it out. it used an INSERT line to do this. instead of yje usual ATTACH i wrote microsoft at Redmond WA 98052 on behald of the victims. we'll see what happens

Sat, Oct 23, 2010 anonymous

Why are the software kings (they know who they are) supporting crime by allowing hackers to take over peoples live mail accounts and not showing one ounce of help in getting them out(they could be tracked and prosecuted)The hacker can change passwords easy but the account owner is stuffed when they ask for help to change the password and get their account back. So much for safe happy computing.

Sun, Oct 17, 2010

Forget about losing my contacts, what if the hijackers try to gain access to my bank and credit card accounts and kave the new password sent to my hijacked email?!

Tue, Oct 12, 2010

What a joke, my hotmail account was hijacked, and all 300 plus of my business associates got sent links to a viagra site.---great. Have changed my account status to private, changed password, and removed all contacts to a separate folder for safekeeping. Hope it works?

Sat, Oct 2, 2010 monica south africa

i connot get into my email account it says i have the wrong password.The password is correct my email became like this just after i had done internet banking!!! it has been a month now. I fail to understand that windows support cannot solve this problem. why must i pay the guy at 'just get an answer' to do the work for windows? how can windows keep on sending me help to the very email adress that i cannot get into , of what use is that?

Wed, Sep 22, 2010

I've had the same problem. I have tried to contact someone at Hotmail to no avail. I also tried a few antivirus software and changed all my passwords. I am also closing my hotmail account and switching to a different and more secure email system. This has been very upsetting and only God knows how much info these people got!

Tue, Sep 7, 2010

I'm being bombarded with "delivery status notification failure" messages for e-mails that I did not send. I go to inbox & will have 31 unread messages, all the same informing me that the e-mail (that I did not send/ do not know the addressee) was not deliverable. No help what-so-ever from MSN.

Fri, Sep 3, 2010 screwedbyhotmail ontario

never again using hot mail or anything else free, no support or even phone number for msn or microsoft all contacts and attachments locked out, even cannot close account to stop the scam send money i am in london what a joke of support services of hotmail live.

Wed, Jul 14, 2010 DJS Australia

My hotmail account was hijacked and spam sent to all addresses listing a (probable bogus)website for cheap iphones. Can't say how anyone could possibly work out the isn't even a proper word...and combines with numerals.

Sat, Jul 3, 2010

Microsof / MSN / HOTMAIL should have put out a warning through e-mail so that the hotmail users could have known about the recent hackers, I filed a complaint with the FCC and I am looking into getting a lawer. Microsoft does not care about the free e-mail users, microsoft should have never had a free e-mail service if they were not going to monitor the site for hackers. Now the hackers have full control of peoples e-mail and they have done alot of damage, not just to the user but to their contacts as well.

Tue, Jun 15, 2010 Mike

I'm now believing that Windows (MSN) Hotmail is quite a joke! Most reputable companies would have a contact phone number or the very least a website to have direct interaction with support staff... Hotmail has neither! A site that allows hacking without immediate fixing is a piss-poor site and company. Hoping G-mail will do better!

Fri, Apr 30, 2010 MR. DEREK MOSS MIAMI, FL


Sun, Apr 18, 2010

Absolutely nobody tells how to solve the highjack problem

Thu, Mar 11, 2010

My MSN email account has been hijacked and I cannot find any way to contact MSN for help. All of the areas that I am referred to have similar complaints but MSN has posted no response. Is there a phone number for MSN?

Mon, Feb 22, 2010

How do you get support from Hotmail? Is there a number or direct email because my account was hijacked recently and the person(s) that did this sent out emails to all my contacts requesting money stating that I had been robbed and was stuck overseas.

Wed, Sep 23, 2009 Los Angeles

Please let me know if there is direct phone number for hotmail I would love to have all mystolen contacts restored if possible.

Wed, Sep 23, 2009

It is very important that I can get in touch with someone regarding my hotmail account that was stolen an my identity. I need someone to take off talentconnect@hotmail my identity was stolen and they are sending mail to all my contact requesting money as if it was me. Please close that e-mail and investigate where is being used. I am going crazy from this. Help me, asp Sabrina

Tue, Sep 8, 2009

My email account has been hijacked and is being used to purchase merchandise over the internet. They then send fake oayment notifications from Paypal to get their merchandise

Wed, Sep 2, 2009 Jim Payne Dallas

Basically any email account like Gmail, Yahoo, Hotmail, etc. can be vectors simply because of poor password choices. That's what the write was referring to. If you have a stupidly easy to crack password, like "password" then all the cyber-criminal needs is the valid email account which is not hard to obtain, otherwise we wouldn’t see so much damn spam. A lot of this stuff can be prevented by simply strengthening your online password and changing it more frequently than "never". Just because Microsoft is warning about this does not mean that they alone are vulnerable. This is just common sense and it could happen to any system that solely relies upon basic user credentials for access, like Gmail, Yahoo, Hotmail, etc. It sounds like Microsoft has just picked up a lot of noise in their area on this because they have so many users and are a great target. Frankly, I'm surprised we haven't heard about this more publicly until now instead of 10 years ago.

Mon, Aug 31, 2009 Rodney

Gmail and Yahoo are mentioned because you can Use Windows Live Mail to access your gmail and yahoo mail accounts. Or at least thats the only reason I can think of, because I use my Windows Live Mail for my Gmail account as well as my hotmail.

Mon, Aug 31, 2009 Sahara

I want to know how the writer made the jump from "Windows Live Hotmail," which was the type of account being hacked, to inferring that Gmail and Yahoo email would also be hacked. Have there been any occurences of those services being hacked? Not that I have heard of.

Fri, Aug 28, 2009

I had my HotMail account hijacked also. I'm assuming it was done via brute force. The hijacker sent out a bunch of messages to my contacts and then deleted them. I only realized it at first because my work email address was one of those contacts. FYI, HotMail support was able to restore my contacts, so I was able to notify people pretty quickly. Very disturbing experience.

Fri, Aug 28, 2009

My HotMail account was hijacked months ago and used to send spam to all my contacts, which were then deleted, so I wasn't even sure of the full list who it was sent to so I could warn them. I still don't know where I picked it up because I don't open unknowns or download much of anything. If it came from one of my contacts it was well hidden, not one of those obvious risk messages or links. My complaint to the company went absolutely no where, and I still get phishing messages all the time, so I've moved to Yahoo.

Thu, Aug 27, 2009 sudhakar ffffffff


Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.