Hotmail hackers see thousands of accounts

THOUSANDS OF e-mail accounts appear to have been viewed by hackers exploiting a weakness in Microsoft's Hotmail service.

The statistic was based on the number of "hits" on the numerous websites that contained instructions for viewing the e-mail accounts without a password. It was the only objective way yesterday to measure the extent of the security breach, said to be potentially the most serious ever seen on the Internet.

Microsoft has launched an internal investigation into the software flaw, which meant that anyone could read, and send, messages belonging to the 50 million e-mail accounts on its service.

The "crack" for the Web-based e-mail service - consisting of a single Web address, including the Hotmail account name - has now been fixed. But security consultants suggested that it may have originally been built in by Microsoft as a "back door" to allow maintenance. "It looks like something that was used for testing or service that probably got out," said Kit Knox, a systems administrator specialising in security. "It is possible that it was left on their servers by mistake."

The Web address ran a computer program with a simple password that gave access to the accounts. It may have been discovered by hackers examining files on Hotmail's servers to see which were useful.

Microsoft can tell how many accounts were read by seeing how many times that program was run, or by viewing which websites accessed accounts. But it has yet to decide whether to reveal how many accounts were compromised.

Increasingly, Microsoft operating systems, programs and now e-mail services are being attacked by hackers worldwide. The leader of the hacking group Cult of the Dead Cow said recently that the security on Microsoft's operating systems was "distinctly sub-par".

He added: "I think the number one reason that hackers have targeted Microsoft is that its overwhelming arrogance tends to key the disestablishment tendencies that are prevalent among the hackers of the computer underground."

Last year hackers crashed thousands of computers running the Windows NT system just as Bill Gates was about to testify to the US Congress. Judy Gibbons, director of Microsoft UK's consumer and commerce group, said further strikes were unavoidable.

Launched in 1996, Hotmail was the first "Web-based" e-mail service to be accessible using only a Web browser from anywhere in the world.

Leading article,

Review, page 3

Web Subversives

Hackers Unite: Swedish and American group that claimed responsibility for the Hotmail breach "to show the world how bad the security on Microsoft really is".

Cult Of The Dead Cow: Group from Texas who devised the "Back Orifice" package, which lets hackers break in to systems running the Windows operating system.

L0pht Heavy Industries: Boston-based hackers who discovered numerous holes in Microsoft's Windows NT operating system and released codes for cracking it.

Xs4All: Dutch hackers who focus on weaknesses in Microsoft's operating system and programs.

The "Concept" hacker: Temporary Microsoft employee who, in 1995, realised that a new word processing program could carry a virus embedded in documents.

"Script kiddies": Term for Internet users in their early teens who download programs to hack into machines.