Skip to navigation

PCPro-Computing in the Real World Printed from

Register to receive our regular email newsletter at

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.

// Home / Blogs

Posted on April 25th, 2012 by Barry Collins

Moving from Gmail to Hotmail: the disastrous conclusion

Hands on head

PC Pro editor Barry Collins is conducting a two-week experiment, returning to Hotmail after six years of using Gmail, to examine Microsoft’s claims that its webmail system has improved. You can read his previous blog posts on Moving from Gmail to Hotmail here.

Today, I was all set to bring you the verdict on my two-week experiment of swapping Gmail for Hotmail. Last night, however, I spent in the pub with the PC Pro team, giving the latest issue of the magazine a good send off. Which is when the problems started.

The Twitter client on my iPhone started buzzing like a wasp trapped in a lamp shade. I received the following message:

Cecil Tweet

Quickly followed by:

Simon Tweet

And this:

Ian Tweet

Then my brother rang. Had I meant to send him that link in an email? And why had I also sent it our cousin and three blokes he’d never heard of.

I put my pint down, switched my laptop on, logged into Hotmail, and saw the following:

Hotmail hacked

I then uttered a naughty word. Something along the lines of: “bugger”.

My Hotmail account had been hacked alright, but that was only the beginning of my problems. As readers of my earlier blog posts about this experiment will know, I’d also set up Hotmail to import all my Gmail and its associated contacts. Not to mention the Facebook and LinkedIn contacts that Hotmail merges into your online address book. It soon became painfully clear that pretty much anyone I’d had personal or professional contact with over the past decade had been sent an email containing a link to a malicious site. From my account. Me – the editor of a PC magazine.

All this is a terrible shame, because I was gently warming to Hotmail

In fact, even people I didn’t really know were getting dodgy emails from me, because, as I discovered a couple of days ago, anyone you add to your Circles on Google+ is automatically added to your Gmail contacts.

And so, three pints to the wind and trying to ignore the smug amusement of my (soon to be former) colleagues, I set about trying to change my passwords. Hotmail was easy enough, but as that email address was also used as my iTunes login, I wanted to change that password as well. Except Apple’s changed its password policy since I last changed mine, forcing me to include a capital letter, a number, a set number of characters and a symbol from the Ancient Greek alphabet (I exaggerate only slightly). As my Gmail account was linked to that now compromised Hotmail inbox, I had to change that password too. So I now had three new passwords – all using slightly different systems – swimming round my slightly inebriated brain, and I can’t even remember the name of my news editor when I’m sober. If I’m still able to access my iPhone and Gmail account today, it will be nothing short of miraculous.

All this is a terrible shame, because I was gently warming to Hotmail. I wasn’t about to recommend all Gmail users up sticks and move (back?) to Microsoft, but features such as the SkyDrive integration and automatic inbox Sweep were genuinely useful, and way ahead of what Google’s webmail offers. I’m sure there are plenty of people who’ve had their Gmail account compromised too, although I have to say from anecdotal evidence that Hotmail seems far more susceptible to account hijacking than Gmail.

I simply can’t trust Hotmail anymore. And what’s even more worrying is that it’s not only my webmail that’s been compromised, but my Xbox login (which holds my credit card details) and now my PC login too. Because Windows 8 practically forces you to login with your Windows Live/Hotmail details to access features such as the Metro Store, synchronisation and SkyDrive.

It’s one thing giving hackers access to ten years’ worth of junk mail and iTunes receipts – it’s quite another potentially giving them access to my work PC.

(Update: For those of you inquiring about the strength of my Hotmail password – it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun. It’s not the world’s strongest password, and I can feel the parental glare of Davey Winder from 200 miles away, but it wasn’t that weak, either.)

Click here to read Davey Winder’s Ultimate Guide to Passwords

Tags: , ,

Posted in: From Gmail to Hotmail


Follow any responses to this entry through the RSS 2.0 feed.

You can skip to the end and leave a response. Pinging is currently not allowed.

193 Responses to “ Moving from Gmail to Hotmail: the disastrous conclusion ”

  1. DVD Says:
    April 25th, 2012 at 10:28 am

    Be honest Barry. Was your password simple enough to for a hacker to guess? Perhaps your high profile trial attracted a Microsoft hater to target you? I’m a Gmail user myself and don’t recommend Hotmail to anyone but this seems almost too coincidental to me.

  2. Mike Halsey Says:
    April 25th, 2012 at 10:29 am

    It was probably Google hacking in as they knew you were comparing the two :)

    Also why did the editor of a PC magazine not have a suitably strong password anyway?

  3. Barry Collins Says:
    April 25th, 2012 at 10:37 am

    I’ve updated the blog with details of the password.

    Barry Collins

  4. Kev Partner Says:
    April 25th, 2012 at 10:39 am

    LastPass has been my salvation when it comes to passwords – completely solved the problem. Works on smartphones and across browsers.

  5. Pete Matthews Says:
    April 25th, 2012 at 10:48 am

    I was awaiting for this article to appear. I have so many friends who send me links to dodgy website and they all have hotmail accounts. Hotmail is most unsecure email service on the planet and I would never go back to it

  6. Rob Lightbody Says:
    April 25th, 2012 at 10:54 am

    Even though Barry’s password wasn’t terribly “tough”, it was probably about the same strength as most Hotmail users… which is the most relevant thing here.

    Perhaps Hotmail should not have allowed him to have a weak password?

  7. DVD Says:
    April 25th, 2012 at 10:56 am

    Never mind glare – he might even get medieval on your sorry behind! 7 all lower case characters?! I bet the noun part was something to do with something or someone dear to you and the acronym was at least a reasonably well known one. We’ve all had spam from Hotmail accounts, we’ve all been in this game long enough to know that that sort of password was nowhere near strong enough (I know Hotmail allows 6 characters but REALLY?).

    You’re reminding me of when Jeremy Clarkson gave out his bank sort code and account number in the Sun claiming no harm could be done. A little bit of me even thinks you deserve to give Microsoft another chance. But only a little bit!

    Barry, Barry, Barry! Over to you Dave.

  8. Mike Halsey Says:
    April 25th, 2012 at 10:56 am

    Re your update, shows that a seven letter upper and lower case alphabetic password can be cracked in about an hour by an average PC, and says a full on attack would take just a matter of seconds to crack it. Personally my own password is a minimu 14 character upper and lower case string with numbers and symbols.

  9. DVD Says:
    April 25th, 2012 at 11:01 am

    But Rob is right of course. If the editor of Britain’s leading monthly PC magazine can fall into the trap, so can a lot of people. Microsoft shouldn’t allow weak passwords. They don’t even give an indication of strength as you type and will happily accept ‘password2′ as a password.

  10. Jim Says:
    April 25th, 2012 at 11:05 am

    Amusing criticisms, but his gmail account hasn’t been hacked had it?

  11. James Neave Says:
    April 25th, 2012 at 11:06 am

    Hotmail does seem to be very open to hacking – I’ve had friends who’ve suffered it. Sure, 7 lower case characters isn’t strong; but it’s not too terrible. Does Hotmail have no lockout/protection against repeated failed login attempts? If it does, without giving too much away, how are they being hacked so easily? A flaw somewhere in the vast array of sites which require a Live login, or even in fact a compromise of the Live datastore?

  12. Roger Andre Says:
    April 25th, 2012 at 11:08 am

    use this site to test password strength, but generally ‘mizpeltword0945/’ and you’re sorted.

  13. DVD Says:
    April 25th, 2012 at 11:10 am

    Good point Jim but was he using the same password on Gmail. And the trial was about giving Hotmail another go, not Gmail. Hotmail was the (easy) target.

    Were you always using https as well for your Hotmail connections Barry?

  14. Daniel Says:
    April 25th, 2012 at 11:15 am

    Sorry to hear the bad news, Barry – that’s rough. Did you ever solve the mystery of imported sent messages from Gmail?

    Shall we try to guess his password?

    My money’s on “pcbarry”.

  15. Steve Millar Says:
    April 25th, 2012 at 11:15 am

    Well at least Barry’s being honest & upfront about it all.

    Yes, I’m sure he’s getting pelters from all over (prob deserved), but again it raises the issue of insecure passwords. My head hurts sometimes trying to remember the myriad of passwords I have.

  16. Simon Says:
    April 25th, 2012 at 11:15 am

    I don’t really think you can blame Hotmail if your password was just lowercase strings. In fact I now think less of you since as a computing professional you should know to choose a strong password. You clearly brought this upon yourself and I think if it has been the other way around i.e. testing Gmail the same probably would have happened.

  17. Mike Halsey Says:
    April 25th, 2012 at 11:18 am

    In ways this is feeling a bit like a pro-Google rant. I take the point that Microsoft need to improve their overall security but they’ll be a bigger hate target than Google for years to come yet when it comes to hackers and malware. The fact remains though that a password that can be hacked in a year today will be hackable in 6 months next year, 2 months the year after and so on… We need better education on passwords or, how’s this for an idea, better websites that just ask for random characters like banks do

  18. Music Rab Says:
    April 25th, 2012 at 11:18 am

    Question for web techs. Could Barry’s password actually have been hacked? I say it wasn’t. I think it was a keylogger or similar.

  19. Mike Halsey Says:
    April 25th, 2012 at 11:19 am

    Furthermore, any website that allows a computer to auto-form fill a password should be considered generally insecure and should be changed.

  20. richard Says:
    April 25th, 2012 at 11:23 am

    the key thing here is that the password wasn’t secure enough, i would have thought anyone with a technical background would use a password of greater than 8 mixed character upper and lowercase with numerals and special characters.

    my wife uses hotmail, (touching a piece of wood as i say this)hasn’t yet fallen faul to password cracking. that said a friend of mine also using hotmail has.

  21. Music Rab Says:
    April 25th, 2012 at 11:24 am

    “any website that allows a computer to auto-form fill a password should be considered generally insecure and should be changed.”

    I haven’t come across ONE website that doesn’t allow auto-form fill for a passord. So I think its impossible.

  22. Admin03 Says:
    April 25th, 2012 at 11:24 am

    RoboForm was the answer for me. Since I started using it some years ago, I have strong, random and different passwords for all main websites. Logging on only takes a single click and passwords can be synchronised across all devices.

    Just checked my RoboForm account, I have around 300 logins. Now, who could remember that many passwords? You either use a password manager or re-use your (insecure?) passwords.

  23. Tom Says:
    April 25th, 2012 at 11:31 am

    I used to stick religiously to a set of completely random twelve character passwords, mixed case with numbers. Last year I got a bit tired with constantly typing them in and cut them down to seven or eight character passwords. They are still mixed case with numbers but guess what… after years with no problems, whatsoever, my personal mail server was hacked last month.
    What a dumb ass!
    Now I’m giving everything a different fifteen+ character random code (mixed case, alpha, non alpha & numeric).
    I think I’ve worked out how to memorise them but time will tell.

    Must now change password on PCPro site, which is obviously now rather suspect ;-)

  24. Jim Says:
    April 25th, 2012 at 11:49 am

    Would all the password snobs going on about “strong” passwords like to explain how or why hotmail is vulnerable to a dictionary attack?

  25. Music Rab Says:
    April 25th, 2012 at 11:55 am

    There’s more to this than somebody(or some program) determining Barry’s password by working it out by trying different combinations. A “program” has actually found Barry’s password. But how? My guess is a keylogger (or equivalent). But how/where?

  26. Matt J Says:
    April 25th, 2012 at 11:59 am

    I’ve just checked, and after 10 attempts to guess a password, MS uses a similar captcha service to prevent further automated attacks.

    Even as a Gmail user, I think you’re being unduly unfair on Microsoft for this. Unfortunately, I think you’ve just been caught out by somebody guessing your poorly chosen password.

    PS: Slightly ironic that in the same article that talks about your weak password being compromised, you complain that Apple have started enforcing strong passwords?

  27. Steve Says:
    April 25th, 2012 at 12:02 pm

    For a while now I’ve doubted the Pro part of PC Pro so I’m not surprised to be honest. My inbox goes back to 2005 and I’ve never had a reason to look elsewhere. I wonder if Barry was connecting over https when using the webclient.

  28. DVD Says:
    April 25th, 2012 at 12:03 pm

    Snobs Jim? We’re not talking prestige cars or clothes here. We’re talking security. Do or die.

    But to answer your question, my opinion (for what it’s worth) is not that Hotmail itself is more vulnerable (though unencrypted connections anyone?), it’s that Hotmail *USERS* are. Microsoft does a good job of forcing Windows users to have a Hotmail account (even I have one – though I only use when Microsoft force me) and with the majority of users being Windows users, and, I’m afraid to say, not very security savvy, they’re a big and easy target. Don’t forget Hotmail was doing free, web based e-mail long before most of the other players in the market (including Microsoft themselves – who bought Hotmail) so there’s a massive, well established user base to aim at, just like there is for Windows and Internet Explorer. Dare I say as well, all the smart users have long since moved on as Barry did 6 years ago.

  29. Admin03 Says:
    April 25th, 2012 at 12:06 pm

    Have to agree with that. Websites would normally lock you out after certain number of attempts. Even if they don’t speed at which web server would process each attempt would make brute-force or even dictionary attacks impractical, unless you have really really basic password.

    I think with web services, hacking normally involves sharing passwords across multiple websites, key-loggers or something like that.

  30. Barry Collins Says:
    April 25th, 2012 at 12:06 pm

    Thanks for all the comments.

    As I said in the blog update, I fully accept that the password wasn’t as strong as it could/should have been.

    I’m not going to reveal the exact password, but I don’t believe it would be easily guessable from a social networking trawl etc. It was a reasonably obscure string of letters. That said, I fully accept that any string of seven letters is susceptible to a brute force attack.

    In my defence, the password was strong enough to be accepted by Hotmail. Indeed, it’s also strong enough to be accepted by Gmail (I’ve just tried it).

    Barry Collins

  31. Liam B Says:
    April 25th, 2012 at 12:08 pm

    Haha it doesn’t matter what your password is – if Microsoft are going to greedily try to force you to use their services by making you use the same password on your computer as you do online doesn’t that tell you something rather important, like security isn’t their first priority.

    I had 2 of my websites hacked, they both had ironclad passwords, but were using wordpress. Guess where the fault lay!

    This is about software vulnerability, not spending the rest of our lives being tied in to password remembering software.


  32. Austin Says:
    April 25th, 2012 at 12:09 pm

    STOP! with your anti-Hotmail rubbish. This is a security breach pure and simple; it happened to me once because I stupidly used a PC at a hotel while on holiday. My password was ultra secure so the only way my account could have been compromised was through a key logger or somesuch.
    Other than this one incident I have never had an issue with Hotmail and, in fact, it still is leaps and bounds ahead of Gmail in functionality, ease of use and just about every other category you can think of. Just because you were likely slack with your security is no reason to rubbish a great piece of free software – SHAME ON YOU!

  33. Music Rab Says:
    April 25th, 2012 at 12:12 pm

    “I think you’ve just been caught out by somebody guessing your poorly chosen password.”

    Very unlikely. This was a keylogger or equivalent.

  34. Mike Halsey Says:
    April 25th, 2012 at 12:17 pm

    @Austin it is for reasons like this that I beliebe all websites should have a dual password system where you enter a standard code each time along with two or three random characters from another code. This is what banks do and it might add a layer of inconvenience, but it would make many people feel much better.

  35. Ben Says:
    April 25th, 2012 at 12:20 pm

    My GMail account got hacked once, no idea how, ten character password consisting of lowercase, uppercase, numbers and symbols.
    However Gmail saw a couple of dodgy emails being send an immediately locked my account so my first knowledge of it was trying to log in and gmail telling me they suspected a hack and I had to be sent a verification PIN in a text (as they had my mobile number) and I had to change my password (now even longer and more unmemorable!), but GMail did a great job of avoiding a disaster.

  36. DVD Says:
    April 25th, 2012 at 12:24 pm

    I agree Mike, such a system would be better (banks use 2 factor authentication as well so why not go the whole hog?) but it wouldn’t make many people feel better. It would make them feel frustrated and look elsewhere. Microsoft, Google etc. know that they’re allowing easy passwords onto their systems so why don’t they force stronger passwords? Because they know users won’t like it and will go where it’s easier. That’s why Hotmail accepts ‘password2′ and Google accepts the very same password that allowed Barry’s Hotmail account to be hacked (though I still think it was plucked off an unencrypted connection).

  37. Mike Halsey Says:
    April 25th, 2012 at 12:27 pm

    @DVD but surely if one did it, this would show up and get them negative publicity. The others then they’d all do it quite quickly and before long it would be secure password or filofax and a book of stamps :)

  38. Mike Halsey Says:
    April 25th, 2012 at 12:28 pm

    SHow the others up I meant. I hate this text editor, it’s rubbish. PC Poo, please upgrade it

  39. SteveE Says:
    April 25th, 2012 at 12:34 pm

    My fiancee uses Hotmail and had the same problem – her password is a non-word with included numbers so not easily crackable…

    I do agree with other comments that “the one login for all services” is going to become a problem as we move forward to a single integrated cloud/phone/pc/tv/web login from gmail or hotmail etc

  40. toby Says:
    April 25th, 2012 at 12:38 pm

    Hotmail have been providing support throughout your trial. I would be interested to know what their comments on this are.

    Are they able to identify how the hack happened. Where there multiple attempts to access the account or one single attempt.

    this would at least provide some insight into how the account was hacked and where the blame may lie.


  41. DVD Says:
    April 25th, 2012 at 12:41 pm

    I suspect the likes of you and I, Mike, and possibly most of the respondents on here would be attracted to that sort of security but the mass market – teenagers, silver surfers etc. will opt out or run a mile to where life is simple and they can pretend that it can’t happen to them.

  42. Mike Halsey Says:
    April 25th, 2012 at 12:43 pm

    @DVD And that’s why they get hacked and I haven’t been :}

    As an aside, isn’t it long past time PC Poo published an article on good password etiqueete and the various security options available to us? I’d certainly like to read it

  43. DVD Says:
    April 25th, 2012 at 12:46 pm

    Though that doesn’t really respond to your point Mike, and I can’t edit that last post as you have pointed out!

    I don’t think once one made such a change the others would follow. They’d want to be there to catch those who run screaming away from the first to do it. Witness Barry’s own complaint that Apple upped the password complexity requirements on their systems in the very update where he’s telling us he’s been hacked as Matt J points out!

  44. Richard Says:
    April 25th, 2012 at 12:47 pm

    Are you sure the password was cracked? My wife got an email from a friend with a link to a website asking her to login. She didn’t log in but just clicking the link was enough to send a similar email to everyone in her hotmail address address book. The emails were titled woow or variants on that. Interestingly enough she is using hotmail via Outlook connector but it didn’t get any of the Outlook addresses. Anyone who clicked on the link who was not using hotmail was unaffected. Of course we changed her hotmail password anyway.

  45. DVD Says:
    April 25th, 2012 at 12:47 pm

    I’m not sure PC Pro are qualified to give such advice any more Mike!

  46. Jim Says:
    April 25th, 2012 at 12:47 pm

    This article affords people who happen to have “strong” passwords who haven’t been hacked the chance to feel superior to an expert like Bazza. Sadly they have had to assume, without sense or justification, that Barry’s password was guessable. Your passwords may be hard to decipher, but your motivations aren’t.

    Back in the grown-up world, is it possible to use a brute-force attack on the hotmail website, and if so, why?

  47. Music Rab Says:
    April 25th, 2012 at 12:49 pm

    So, we look forward to a PCPro article “When Strong Passwords Aren’t”

  48. Lee Jordan Says:
    April 25th, 2012 at 1:26 pm

    I’d be interested to hear a response from Microsoft. I doubt that the hacker managed to figure out the password. They must have got it some other way.

  49. Thomas Says:
    April 25th, 2012 at 1:41 pm

    I would be really interested if this incident could be followed up with Microsoft to try and find out how it happened. Off the top of my head I can think of three or four possibilities that don’t involve guessing the password, but which could be right will depend on Barry’s working practices and what mitigating procedures Hotmail has in place.

  50. wittgenfrog Says:
    April 25th, 2012 at 2:02 pm

    I’ve been using hotmail for over a decade and without too many problems. Does this mean it ‘better’ than Gmail?

    Anything made by man can be unmade by man (or a woman).

    Me I’m largely agnostic, I’m simply more used to hotmail, so I use it more than my Gmail account.

  51. Ian Says:
    April 25th, 2012 at 3:20 pm

    Think the lack of a strong password has been covered by other commenters enough by now… though would add that insecure lower case + number passwords seems to be pretty common. Websites should by now be insisting on at least one upper case letter, one lower case letter, one number and one symbol and a minimum of 10 characters…

    However hacked Hotmail accounts seems to be a problem for Microsoft – I’ve had 5-10 emails this year from known contacts sending out spam links from Hotmail accounts. I haven’t had any emails from hacked Gmail accounts. I’m guessing that hackers prefer Hotmail for some reason…

    It’s disappointing as Hotmail is one of the few Microsoft services I don’t use. Like others here, I’d be interested to hear whether Microsoft are willing to comment on what happened

  52. Dvader Says:
    April 25th, 2012 at 3:35 pm

    There is not evidence that the account was hacked. You’d linked all your accounts to that one hotmail account and probably used the same password. Maybe it was a PCpro inside job. You cannot prove this was not an internal “hack”. You probably made a mistake. Of course , WE have to trust you that didn’t make that crucial mistake.

  53. Barry Collins Says:
    April 25th, 2012 at 4:12 pm

    Microsoft is investigating what happened to the account, and I shall report back with any findings, if Microsoft is happy for them to be made public (there may be good security reasons why they don’t want that information shared).

    Barry Collins

  54. David Wright Says:
    April 25th, 2012 at 4:18 pm

    Quickly looks for a bit of wood… I’ve been using Hotmail since the Linux days, before Microsoft bought them out (1996).

    I’ve used the same account since then and it has never been hacked. It has the shortest password of any of my online accounts, with under 20 characters.

    Most of my colleagues scoff at me, because my Windows password has over 15 digits.

    Like KevPartner, I use LastPass and tend to use very complex passwords where I can.

    There are a couple of sites, where I have a free, read-only access to a service, which is otherwise “public”, where I have incredibly simple passwords, but they are the exception.

    It is a shame Barry’s account has been hacked, but I’m sure Davey Winder’s scorn will stop Barry from making the same mistake twice.

    Heck, my girlfriend got her first computer last year (she is over 40) and her first password was over 30 characters long! :-O After that, I felt I didn’t really need to talk to her about passwords…

  55. Rob Schifreen Says:
    April 25th, 2012 at 4:22 pm

    Barry, presumably you’re going to follow up with an investigation of how your account was hacked?

    As others have said, it’s unlikely that someone simply guessed your password.

  56. Rob Schifreen Says:
    April 25th, 2012 at 4:23 pm

    If Microsoft don’t want you to disclose how the hack happened, that’s a story in itself. I hope you won’t shy away from publishing it.

  57. Barry Collins Says:
    April 25th, 2012 at 4:25 pm

    Rob + others,

    As I said above, Microsoft is investigating what happened with my account and I’ll happily report back if the company is happy for me to publish the details.

    I’ve also never said the password was stolen/guessed – merely that I changed my own passwords.

    Barry Collins

  58. JohnAHind Says:
    April 25th, 2012 at 4:33 pm

    @KevPartner, Admin03: Using an on-line password store actually makes you much less secure. These are honey-pots for hackers because the value of cracking them is obvious and because they probably have fairly weak passwords themselves since the user has to be able to remember it.

    Call me paranoid, but I use RoboForm 2 Go on a USB stick, additionally encrypted with TrueCrypt. My “human memorable” password never gets exposed to the internet.

  59. Dan Says:
    April 25th, 2012 at 4:49 pm

    My password is:


    Obviously I use different combinations for the 20 or so websites I’ve signed up to. Honestly, there needs to be a better way of getting access to the numerous websites we all sign up to, sign in with Facebook seems to be making an appearance on lots of websites now so I can use one secure password with the 5 or so sites I use which utilise this technology. Paying for a 3rd party password management app might be ok for nerds but not for my mum.

  60. Paul Ockenden Says:
    April 25th, 2012 at 5:01 pm

    I’m pretty sure it won’t be a brute force attack – any major online system will have protection against that. Somehow someone will have got Barry’s password via other means: keylogger (PC or mobile), access via dodgy WiFi hotspot, or even a malicious inside job by a dissatisfied employee. But I really doubt the ‘brute force’ theory. Or if it was that, someone at Hotmail should be shot for not having lockouts after so many failed attempts.

  61. Ed Says:
    April 25th, 2012 at 5:11 pm

    My passwords always consists of at least one upper case character, one lower case and at least one number. I’ve never has my Gmail account hacked but had my (now deleted) Hotmail account hacked twice…says it all really

  62. Ed Says:
    April 25th, 2012 at 5:12 pm

    And it would seem my ability to spell /use correct grammar has decided to leave today!!

  63. henryg Says:
    April 25th, 2012 at 5:27 pm

    My wife’s GMail account was hacked similarly a few weeks ago. I could not determine how it happened, and she had used her iPad almost exclusively of late.

    Whether, or not, GMail or Hotmail is better, I don’t think this hacking attack should be conclusive one way or another. UNLESS you can show that Hotmail is more vulnerable than GMail. BTW, none of us use Hotmail.

  64. DVD Says:
    April 25th, 2012 at 5:42 pm

    I can believe lots of bad things about Microsoft, Google etc. but not that they’d be open to a brute force attach on web based e-mail. As Paul said, likely some human error or intervention is behind this. I’m less interested in what Microsoft have to say though (if they say anything, it will be just loads of PR nonsense about how they take security seriously and have robust systems and procedures – yadda, yadda, yadda) than I am in hearing what Mr Winder has to say! Was is a Sir Alex Ferguson style hairdryering Barry?!

  65. DVD Says:
    April 25th, 2012 at 5:43 pm

    ‘Attack’. Not ‘attach’. ATTACK. Like I do my keyboard it appears!

  66. pt Says:
    April 25th, 2012 at 5:51 pm

    I’ve heard it suggested (gizmodo?) that a string of four randomly selected words eg. “spiney horse vaults epistle” (including spaces) is both more memorable and more secure than the standard jumble (bG4$*faLL etc.)- any comments?

  67. Robert Mitchell Says:
    April 25th, 2012 at 6:12 pm

    I think my EMail address was hacked because I used the same password at an online merchant. That merchant had access to both the EMail address and the matching password…

  68. Tim Says:
    April 25th, 2012 at 6:48 pm

    I had always assumed that hacked accounts were the result of things like not signing out properly on a public computer or contracting spyware on a PC — in fact when friends start sending out “the link”, it is usually while they are abroad and using internet cafes, etc.

  69. Barry Collins Says:
    April 25th, 2012 at 8:11 pm

    I think there’s a degree of misunderstanding here about how brute force password attacks take place. They don’t attack the front end: I’m fairly sure Hotmail has always had a system that would lock an account after a small number of failed attempts at the password.

    As Davey Winder explained in a recent feature on passwords (which I clearly should have read more closely!), brute force attacks take place offline, against a compromised password database.

    I’m not suggesting that’s what happened in this case or that Microsoft’s servers have been compromised. I’m just explaining that a front end that bars access after a few failed password attempts isn’t a safeguard against brute force attacks.

    Barry Collins

  70. Jimbob Says:
    April 25th, 2012 at 9:13 pm

    I recently had my Hotmail account hacked even though I used a pretty strong password (a serial number for an old bit of equiptment that contained numbers/letter)

    I’d like to see a system similar to what Valve have introduced with Steam, Hotmail is getting a poor reputation because of security hacks. With the details also being used for Skydrive, Windows 8 logon, xBox, Windows Phone etc etc it’s security is becoming extreamly important.

  71. Steven Says:
    April 25th, 2012 at 10:57 pm

    Well Barry, maybe you ought to think as well wether your Desktop computer was hacked into, and they simply got your password by monitoring what you type in your browser.

    Nothing, absolutely nothing, in what you wrote point to a problem with Hotmail at this stage.

  72. Hayden Kirk Says:
    April 25th, 2012 at 11:10 pm

    Pass-phrases people…

  73. Really Says:
    April 25th, 2012 at 11:13 pm

    “For those of you inquiring about the strength of my Hotmail password – it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun.”

    Your password was “pcbarry” wasn’t it?

  74. deagle Says:
    April 25th, 2012 at 11:15 pm

    @Barry. I am the paranoid kind – well I do IT security for a living !

    At this stage and until you know how your account was compromised, the best advice would be to assume that you may also have been using a compromised client (PC, smartphone) or a compromised network connection.

    Simply changing your password will not necessarily fix the problem; unless your problem was just a guessable (or re-used) password – which you have stated was not the case.

    Note: There is a risk in re-using passwords e.g. the same password for multiple sites. If (say) you log in to an internet forum with the same email and password as your hotmail password then the administrator could harvest your username / password combination (or a hacker could upload the password file and crack that. This made more computationally trivial if the have not salted their password hashes or encrpyted their password database – depending on the underlying security technology)

  75. Rob Says:
    April 25th, 2012 at 11:16 pm

    This was widespread. My account was hacked last night as well, and it had a stronger password.

    Spam was sent from Romania.

    @Steven: I haven’t logged into hotmail in several months at a minimum, so it wasn’t keyloggers.

  76. Ben Says:
    April 25th, 2012 at 11:22 pm

    So how much of a contributor is Google to PC mag? Hey, here’s an idea, why don’t I advertise my email address in a public forum with a weak password… that’s sure to make for a good story and prop my sponsors.

  77. Ben Says:
    April 25th, 2012 at 11:24 pm

    In terms of hardness, repeatedly asking the server should be almost impossible. You have to guess before it simply locks the account.

    Brute-forcing their hashes should be nearly impossible. It should be impossible to get them in the first place, and key-stretching should make each possible guess require seconds of CPU time.

    Snooping on your wifi connection is hard, but breaking the SSL connection is much harder. (You do check that little lock icon, right?)

    Getting into your system is comparatively pretty easy, especially since they probably just buy the latest exploits along with their spam software.

    But my guess is cross-site scripting. All it takes is a dodgy site and a browser exploit, and they can just quietly start downloading your contacts and sending email, possibly without even having to steal your credentials.

  78. piersh Says:
    April 25th, 2012 at 11:26 pm

    used any free wireless recently?

  79. Peter Says:
    April 25th, 2012 at 11:28 pm

    i believe he was hacked due to plenty of fish hack that happened a year or two ago. all the passwords there were stored in plaintext.

  80. Libertardian Says:
    April 25th, 2012 at 11:40 pm

    I don’t think his problem is his password. I think his problem is Microsoft’s painfully easy password recovery which has resulted in a lot of Xbox Live account hijacks.

  81. Ken Elliott Says:
    April 25th, 2012 at 11:41 pm

    Perhaps you used a laptop or other mobile device on an open WiFi hotspot. If you don’t use HTTPS, then another user could use a tool like Firesheep to gain access to your account without a password.

  82. James Says:
    April 25th, 2012 at 11:42 pm

    I have to wonder if you were actually hacked, there are allot of alternates her that are more realistic specifically when you said you synced your contacts.

    I think you were probably the victim of man in the middle read of one of you contact list syncing processes.
    Just because an email looks like it came from you doesn’t mean it did. I can send an email out right now with the from field populated as, any bounce back/undeliverable message will route to that email, not back to me.
    I say this be cause i Have had this happen the two times, once when i synced yahoo to google, and another when i manually downloaded the csv from yahoo. within 24 hours each time, everyone one of my yahoo contacts gets hit with spam.

    Before amazingly reporting that you were hacked, you might want to contact support and ask them if they can see if that email in fact originated from your account… I have yahoo set to keep a sent copy of sent mail, and there was no copy when my account spammed people. Yahoo support is useless on technical issues like this, and I couldn’t get them to bother giving a straight answer.

  83. Evan Umenhofer Says:
    April 25th, 2012 at 11:46 pm

    I hae over 3000 emails in my gmail from the service I run (fixing minecraft maps) Occasionally I get spam from people I help. 0% of them are gmail. 100% of them are Yahoo or Hotmail.

  84. Adam Williamson Says:
    April 25th, 2012 at 11:51 pm

    @PT: That’s xkcd.

    the important thing is to remember to always use ‘correct horse battery staple’ as your password.

  85. Pedro Says:
    April 25th, 2012 at 11:53 pm

    I would like to see a dissection of the hack. Was your password weak? A keylogger enabled virus on your machine? there are many ways to get access.

  86. Matt Says:
    April 25th, 2012 at 11:58 pm

    FFS, will the “U SHUDA USED A STRONG PW” crowd shut up? If a service has a reasonable policy for ratelimiting / locking accounts after failed login attempts, it doesn’t matter HOW weak the PW is…

  87. Fisk Says:
    April 25th, 2012 at 11:58 pm

    Actually, a 7 letter non-dictionary word password is pretty strong for an online service as any sane such system will (temporarily?) lock you out after a couple of failures. It is only if you have access to the raw passwords hashes that you can brute force passwords easily, and that requires Hotmail itself to be hacked. I too have had friends with hotmail accounts who got hacked, I suspect there is a a vulnerability in the MS sites somewhere.

  88. Sebastien Says:
    April 26th, 2012 at 12:02 am

    man, I had the same Hotmail account for 12-13 years and the last years have been crazy regarding spam and getting the account hacked. Then like for a lot of people, they locked me out of my account. Anyways, I decided to switch over to Hushmail and since then , it’s been 3-4 months and I haven’t got one spam email, not one. I wish people tried different sometimes than the big names..well hushmail is big but for different reasons and a different crowd. A smart crowd..oops…

  89. Ben Says:
    April 26th, 2012 at 12:10 am

    I see this as an IT professional (if you can call yourself one anymore) being lazy in his use of passwords. This is your own fault for not setting a specific password for each service and using a complex password. Come back and complain when you’ve done so. Oh also, you’re probably using MS Antivirus 2012. You may want to remove that from your system.

  90. Caracal Says:
    April 26th, 2012 at 12:27 am

    My girlfriend had a hotmail account and her account was also hijacked. She has switched to Gmail. And don’t forget, GMail has a 2-way-authentication if you need improver security.

  91. Caracal Says:
    April 26th, 2012 at 12:29 am

    Here is a Link to the App for the 2-way-authentication

  92. M Says:
    April 26th, 2012 at 12:29 am

    Hi Barry,
    My hotmail was hacked like this as well. I had assumed at the time the problem was caused by using the same password for other accounts where i also used my hotmail address, and one of those other websites had been compromised. Did you use this password elsewhere?

  93. Zaphod Says:
    April 26th, 2012 at 1:18 am

    Every new tech support client I have had in the last x years with a Hotmail account has had my initial emails end up in their Junk folder. Not so with GMail.

  94. Kevin Says:
    April 26th, 2012 at 1:25 am

    Oh wait: hacked with pro bachar al-assad messages <– scroll down and lick Next, it says many fb/twitter groups against bachar got hacked with the hotmail vulnerability.
    And you still wonder how you could get hacked?

  95. Kelvin Says:
    April 26th, 2012 at 1:40 am

    Thank you Barry for bravely sharing your experience. Others may knock you, but what you are doing is openly sharing what has happened to you and many others using web services. I’m sure that will help others be more aware and able to make better decisions.

  96. Jansen Says:
    April 26th, 2012 at 2:17 am

    Just wondering if you used the same password for your Gmail as you did for your Hotmail when you initially migrated. I’ve used hotmail for over 15 years and ive never been hacked. Im also an It consultant, and the first place i’d be looking for a cause to your issue would be the systems your using to access the webmail. Addtionally, did your gmail account contain any emails which detailed your intentions to test hotmail. I would not put it past gmail to use that information to thier advantage.

  97. Jon Randy Says:
    April 26th, 2012 at 2:26 am

    I have a legacy Hotmail account (just receives spam now) – switched to GMail years ago and have never looked back. The spam filters are better, security seems better (I’ve never seen any friends getting their GMail accounts hacked, or received mail from hacked GMail accounts – get them from Hotmail accounts regularly), viewing threaded messages is better, overall design is better (Hotmail’s interface is badly designed from both an aesthetic and functional perspective), ‘plus’ addressing, it is much faster… the list goes on and on. I don’t understand why people still use Hotmail. Yahoo Mail is better than Hotmail too

  98. Matt Says:
    April 26th, 2012 at 2:43 am

    Was it confirmed as an actual hack where someone logged in from a different IP address? Isn’t it possible that a spammer just used your address in forged “from” and “reply-to” fields, and you’re now getting the bounce-backs?

    Apologies if you’ve inspected the headers and have already addressed this and I missed it.

  99. Matt Says:
    April 26th, 2012 at 2:44 am

    At the moderator, apologies for my last message – I should have thought about it more. Since the message went out to all of his contacts, obviously someone/something *did* have access to his hotmail profile. Feel free to delete both these comments.

  100. George Says:
    April 26th, 2012 at 3:04 am

    Did you use the “Trusted PC” feature on your Windows Live account?

  101. Patrick Says:
    April 26th, 2012 at 5:26 am

    You guys are completely missing the point. Gmail locks your account after a few unsuccessful attempts like most secure websites do. Apparently, Hotmail doesn’t even have that feature and allows hackers to exploit brute force attack, which is the oldest trick in the book. Come on, seriously?

  102. Darren Says:
    April 26th, 2012 at 5:39 am

    7 lowercase characters? It is not Hotmail’s fault if you have absolutely no common sense regarding passwords and security. It’s just a shame they didn’t take your bank details too, which I am sure you keep in a text file on your desktop.

  103. Dvader Says:
    April 26th, 2012 at 6:09 am

    Also remember there are some nice utils ( f.e. Mailpv from Nir Sofer) to retrieve saved passwords. And it takes 30 seconds to run . Or it was a Sarah Palin-type of hack where the hacker just got hold of the info to retrieve the password through the secret question. I also use Lastpass but on W8 CP it is of no use to login. I had a full character set 14 long password on my hotmail account but when W8 CP came out i had to lower the MS Account quality of the password because i could never ever remember the password to login on my W8 PC box.I would also like to point out if you make several failed attempts with a hotmail account you are presented with a unreadable captcha which makes retrieving even worse.

  104. wasntnate Says:
    April 26th, 2012 at 6:46 am

    Dont reuse passwords for different security levels.

    When you sign up for a “less creditable site” with they auto try logging into hotmail with the same password.

    I’d bet you my last beer this is something along the same lines. Been using hotmail since it ‘was’ hotmail without issues

  105. Rev. George Says:
    April 26th, 2012 at 6:59 am

    A password that cannot be remembered easily is really not that useful. And given the frequency with which some services/sysadmins require you to change your password, even a memorable 43 digit mixed case plus numbers and special characters password has a limited lifespan. I’m starting to think XKCD has the right of it…after 20 or so years we’ve made passwords hard for people to remember, but easy for computers to guess…

  106. Nick Says:
    April 26th, 2012 at 7:15 am

    My bet is that it was compromised whilst accessing the account via an unsecure Wifi hotspot. As someone else has pointed out a plugin like Firesheep would allow someone to do this. Also, if Barry was using his laptop in the pub to correct the problem, was that connection unsecure and could his new passwords have been compromised.

    Mac users can use Sidestep ( to create a secure connection on open networks. Does anyone know of a similar solution for Windows users?

  107. David Wright Says:
    April 26th, 2012 at 7:23 am

    @JohnAHind LastPass is pretty secure, it has already proved itself against a few hack attacks.

    As to the password being simple, the whole point of services like LastPass, is that you secure it with a strong password, but because it is the only one you need to remember, it can be pretty darned tough.

    Steve Gibson did a good in depth look at LastPass last year, talking with the owners, analysing how they do their encryption and how the data is stored – basically, even if they hack the LastPass database, without the individual users salts, they wouldn’t be able to do anything with data they got.

    His Security Now podcast on the matter is well worth a listen.

  108. David Wright Says:
    April 26th, 2012 at 7:28 am


    Which of the following two passwords is stronger,
    more secure, and more difficult to crack?



    Funnily enough, the fomrer is stronger because it is longer!

    Check out the Password Haystacks page at

  109. me Says:
    April 26th, 2012 at 8:37 am

    Hotmail accounts typically are compromised through the retarded ‘Security question’ system that almost forces you to use questions that anyone can guess, let alone people who know you even slightly.

  110. Richard Corfield Says:
    April 26th, 2012 at 9:07 am

    Re: 95 – always strikes me as bad that one. I have to have a password 100 character mixed case with 10 numbers and a few foriegn alphabets – but the whole thing can be reset by guessing the name of my first dog.

  111. bartblaze Says:
    April 26th, 2012 at 9:10 am

    A bit of a shameless plug, but not too long ago I wrote a blogpost concerning this issue:

  112. AI Says:
    April 26th, 2012 at 9:17 am

    If you answer whats my name with your name thats your fault …

    Just treat it as a second password. my first pet was called
    Or is that too hard?

  113. Richard Corfield Says:
    April 26th, 2012 at 9:24 am

    I was going to say that my first dog does have a quite long and very unpronounceable name. It made calling him back on walks quite challenging I can tell you! :-) Getting the numbers and the # symbol in really made you sound like you were speaking Klingon or something. :-)

  114. baldmosher Says:
    April 26th, 2012 at 9:26 am

    I’ve only ever been hacked once, eBay account with an 8-character string of letters, but restoring that account was painless, as eBay apparently have quite good anti-fraud technology, but mainly the attack was very specific, and not very sophisticated. The hassle of having to change all my passwords was outweighed by the relief that it wasn’t far, far worse because I re-used that password so many times. I now use LastPass, the master password has 50 alphanumeric characters, so if someone were to hack that I would immediately suspect a keylogger. Don’t let LastPass remember your online banking passwords, and the damage is always limited. If your memory is bad, one easy solution is to prefix one common, complex passphrase with an easy to remember system, e.g. the third character of the name of the site you’re visiting. None of which stops a keylogger.

  115. Daniel Says:
    April 26th, 2012 at 9:37 am

    You only have to look at the Microsoft support forum to see how many users have their accounts hacked or suspended. I really want to transfer over to Hotmail (and escape the poisonous embrace of Google)… but all of this makes you think twice. I think some sort of answer from Microsoft (e.g. IP addresses that have accessed your account?) might set our minds at ease. Or not!

  116. Neil Says:
    April 26th, 2012 at 9:46 am

    At least the article was honest that the same password is used across multiple systems, and the different password complexity policies differ on each that was the only reason they were different. The main trick is when you give your email address and password to another site and they try to login. I bet other sites use the same as Hotmail, but the Gmail one and others aren’t the same as other sites.

  117. Stu Says:
    April 26th, 2012 at 10:07 am

    The fact he knew his password is probably more of an indicator than anything. Use password managers, more than one (with different master passwords) split the risk. Have the password so strong that you can’t even remember it and have different ones for each site.
    If you expect to remember your passwords you are already limiting the complexity. VPN from the pub to your decent firewall when off site especially if using wifi, have that VPN log on different to your domain log on so the VPN details got out they still need the local privileges. Normal IT stuff I thought. My hardest problem is getting the people at the top to understand position increases risk not reduces, you may be the chairman of the golf club but you still need a good password and understanding of threats. I’m not disputing it should not be allowed to be that insecure.

  118. Saetana Says:
    April 26th, 2012 at 10:16 am

    I used to use the same lowercase password (made up of a word and name strung together) for all my websites, when my Hotmail got hacked I decided to change things. Obviously for security reasons I cannot say exactly what I did but I now have a system which I use (in my head, no software required) to create a password for every single one of the hundreds of websites of which I am a member. They are all different, use 3/4 of the possible letters/numbers/symbols, and I have had no problems with my Hotmail in the last three years. In these cases it is almost always the user that is at fault, whether it be for using an unsecured network or by using the same password for multiple sites – I cringe about how careless I used to be with my passwords. I’d agree that a keylogger sounds likely or a hack on an unsecured network, assuming https was not being used (I don’t as I never check my Hotmail on any PC other than my own). I love Hotmail and they have only made it better over the years, Google can take their new privacy policy and shove it where the sun don’t shine ;o)

  119. Urbanaut Says:
    April 26th, 2012 at 10:24 am

    DGS has an incentive to go hacking your account in anticipation of his book release on IT Security. Have you had a chat with him lately?

  120. josh Says:
    April 26th, 2012 at 10:36 am

    Anyone who creates a 7 character password deserves to get hacked…

  121. Henry Says:
    April 26th, 2012 at 10:56 am

    I had the same experience as Barry – not with Hotmail, though. It was with the Google-powered Virgin Mail service. I had also backed up all my contacts list there. When this happened I immediately removed all these from the site aswell as changing my password. I had a hard look at the stuff in the spam folder and it seemed to me that there were a number of suspicious entries all addressed to “me” with a message starting with my web address and followed by something lke © ROLEX Inc ® Discount-6​215802 …etc and some other variations on the theme. I have no proof that the problem of the hijacking of my contacts started from that source, but without any contacts list entries, this sort of spam hijack has nowhere to go. What’s worse, I can’t see any easy way of deleting the 500+ spam entries there except in 50 bite chunks. So I shan’t be uploading my contacts there again in a hurry.
    I also have a dormant Hotmail account with a backup of my contacts and been thinking of using that as a backup for my emails instead of Gmail – not sure now!

  122. issieman Says:
    April 26th, 2012 at 11:47 am

    been using hotmail since 2004 with no problems.. the problem here is we now have more things linked to our hotmail account. even from the pc itself. I better start having a backup contingency plan. I have setup an Gmail account for just contacts and nothing else and another account for mail backup. when I need to send an email my contacts are automatically pulled from gmail.

  123. issieman Says:
    April 26th, 2012 at 11:51 am

    Additional precaution : set-up a virtual pc and use that for browsing the web. Another thought you might have been compromised from your Smartphone.

  124. bah Says:
    April 26th, 2012 at 12:47 pm

    Is this a joke?

    How is the fact that you got compromised even related to Hotmail?

    You do realize it was almost surely your fault, right?

    Anyway, I guess I now know to never trust anything from PC Pro.

  125. Pete Says:
    April 26th, 2012 at 1:26 pm

    So Are you living in Brighon then (noticed the concord2 email) :)

  126. Harry Says:
    April 26th, 2012 at 1:54 pm

    I switched to Hotmail from Gmail 2 years ago… I haven’t been hacked. I think that this problem you encountered says more about using weak passwords than it does anything about Hotmail.

  127. Observer Says:
    April 26th, 2012 at 5:17 pm

    It will happen to you again and again if you keep using the same password on bunch of websites. One can hack website database with emails and passwords and since most people are using the same easy password on trash resources they just check if that password works with email provider\facebook\twitter\myspace.

  128. Sven Says:
    April 26th, 2012 at 5:53 pm

    Your Hotmail wasn’t hacked, because hacking Hotmail is virtually impossible (even with bruteforce when knowing the exact amount of characters). You probably didn’t use a strong password or this was retrieved by a keylogger. The problem isn’t Hotmail, but PEBCAK!

  129. LOL Says:
    April 26th, 2012 at 6:03 pm

    Wow, what a clown!
    You need to be fired for being so inept.

    You used a 7 character password made up entirely of lowercase letters! You used this password for multiple accounts!! And when you get your shit hacked you blame MS?

    What a clown!

  130. Kelly Says:
    April 26th, 2012 at 6:39 pm

    I wonder if it was actually a packet sniffer when using a public wifi, or wifi eavesdropper. Most systems have the captcha mechanisms anymore…Gotta be careful what you do when in public

  131. Rob Says:
    April 26th, 2012 at 8:30 pm

    So, you were using a 7-letter password comprised entirely of lower case alpha characters and you consider it fit for you to conclude that “[you] simply can’t trust Hotmail anymore.”? How dare you? Microsoft are running a business and you consider yourself suitably qualified and able to pass a critical judgement on how good their product is? Get your own house in order and either move out of the glass house or stop throwing stones. I used to be a huge advocate of PC Pro and espoused your A-List as my de-facto standard of what technology people should buy if they were in the market for something new but the absolute minimum standard of any reviews-based publication is that you should practice what your publication preaches.

  132. Rob Says:
    April 26th, 2012 at 8:39 pm

    Moreover, on the Windows Live ID signup page (which I presume you must have reviewed as part of your duty as a diligent journalist, didn’t you?), Microsoft say “Strong passwords contain 7-16 characters, do not include common words or names, and combine uppercase letters, lowercase letters, numbers, and symbols.” They aren’t saying this because they want to fill the space on the page, they are saying this because they recommend that it’s what YOU should do to protect your account. If you choose to brazenly ignore their advice on the single most important security risk that exists for your email account, I maintain that you have no legitimate platform from which to proclaim that “[you] simply can’t trust Hotmail anymore.” Au contraire, your readership simply can’t trust you to diligently perform reviews any more.

  133. J. Says:
    April 26th, 2012 at 10:12 pm

    A (now-fixed) password reset hack for Hotmail was posted to full-disclosure today:

  134. Ars Says:
    April 27th, 2012 at 3:02 am

    “Microsoft patches major Hotmail 0-day flaw after apparently widespread exploitation”

    It’s up on Ars.

  135. Anon Says:
    April 27th, 2012 at 3:19 am

  136. Bubbly Says:
    April 27th, 2012 at 4:27 am

    Lol hate to bring it to you as you are a PC magazine editor.. A lower case password is NEVER safe. It won’t be safe when it’s 10 characters, it won’t be safe when it’s 15 characters.

    Can’t blame Hotmail for this, it’s 100% your fault buddy..

  137. James Says:
    April 27th, 2012 at 4:33 am

    Not your fault. Hotmail had a widely-exploited password reset vulnerability recently patched by Microsoft.

  138. Neil Says:
    April 27th, 2012 at 9:27 am

    Can’t believe so many people are whining about password strength. 7 alpha characters isn’t many but it’s plenty if an attacker can’t get the encrypted version to run a brute-force attack, because as someone already said, Hotmail DOES limit the number of tries. Also, packet sniffing isn’t the answer either – HTTPS is used for webmail logins. Keylogger? Maybe, but major egg on face for a journo who gets bitten by one of those ;-) ) No, like someone else above, I would simply have assumed the “Palin” hack, via the (lame) reset questions. But now the reset *exploit* looks like the real story. Now that’s genuinely bad press for MS…

  139. name Says:
    April 27th, 2012 at 9:44 am

    It was probably exploited and yes, a seven character, lower case password is safe enough if the service in question has a proper system in place to prevent brute-forcing, which should be the case for every major internet service by now.

  140. Roland Says:
    April 27th, 2012 at 10:11 am

    Oh that sucks! It seems that you may be hit by the zero-day exploit which got so widespread Microsoft just patched:

  141. Damian Says:
    April 27th, 2012 at 10:20 am

    “Moving from Gmail to Hotmail: the disastrous conclusion”

    Any chance of changing the title to something else as it paints a POOR picture for Hotmail when people pass through

  142. Davey Winder Says:
    April 27th, 2012 at 10:50 am

    1. Oi Barry! What do you mean parental glare, I’m not that old. Actually, I might be, come to think of it.

    2. I would be hugely surprised, as others have commented, if Barry does not prove to have fallen victim to the zero-day exploit which Microsoft has now patched. This allowed the bad guys to reset Hotmail passwords via the password recovery service without being bothered by the token-based protection measures which only blocked a session if the value was empty. It was, as it turned out, pretty damn easy to bypass this protection, and attackers were able to decode CAPTCHA authentication and send automated values to the Hotmail password reset module at will.

    3. That said, in this day and somewhat hackworthy age, a seven character lowercase password stinks more than an underpants-based cheese storage facility. Oops, there is that parental glare of which Barry spoke :)

  143. Barry Collins Says:
    April 27th, 2012 at 11:10 am

    I consider myself suitably and rightfully admonished, Mr Winder.

    However, I don’t think I did fall victim to the zero-day exploit, as that would have required the hackers to reset the password. I was still able to access my account after it was hacked.

    Barry Collins

  144. AW Says:
    April 27th, 2012 at 11:39 am

    Hot off the press! “Microsoft plugs leak that allowed hackers to reset Hotmail passwords”.

  145. AW Says:
    April 27th, 2012 at 11:40 am

    Here is the link.

  146. Davey Winder Says:
    April 27th, 2012 at 11:41 am

    Certainly not the zero-day then. It will be interesting to see what Microsoft digs up regarding your particular breach in that case.

  147. AW Says:
    April 27th, 2012 at 11:43 am

    Argh!…. Read first, then post…

  148. sprainedmind Says:
    April 27th, 2012 at 11:48 am

    @Ben (No 76)

    Go to the PCPro homepage (with adblock off). I can see three different Microsoft Private Cloud ads, one for IE9 and a ‘featured video’ on Office 365.

    Can we do away with the conspiracy theories now please?

  149. DVD Says:
    April 27th, 2012 at 1:03 pm

    Can I, as some others have eluded to, and notwithstanding the spanking you deserve from Davey for such poor password policy, say that I have to admire the way you’ve manned up here Barry for the greater good.

    Thank you.

  150. Neil Says:
    April 27th, 2012 at 1:17 pm

    Aha, not reset… so basically it was “pcbarry” then? :)
    And Davey – what’s wrong with a 7 char lowercase password when the attacker has limited attempts? (7 characters is still a HELL of a lot of combinations.)

  151. DVD Says:
    April 27th, 2012 at 1:42 pm

    7 lower case characters is just over 8 billion combinations. Not that many by today’s standards Neil, especially once you consider the use of rainbow tables and social engineering.

  152. Steve Armstrong Says:
    April 27th, 2012 at 2:55 pm

    OK, lets keep it real, the attack is either (an online bug), or malware on a device used or a guessing of the users password.

    Let’s keep OFFLINE brute force attacks off this discussion as if hotmail had lost the hashes relating to user passwords, it would be such a PR disaster to hotmail that users would leave in their millions. There is no report of mass user compromise, and not hack reported by microsoft. There is a distinct difference between online guessing and offline cracking.

    Regards, Steve Armstrong

  153. DVD Says:
    April 27th, 2012 at 3:11 pm

    Just to be clear – I was responding to Neil’s assertion that 8 billion is a lot, not claiming that this was a brute force attach when clearly it isn’t. You’ll see from very early on in this discussion that my theories, like others, are either unencrypted connection sniffing or human error/intervention.

  154. DVD Says:
    April 27th, 2012 at 3:12 pm

    Grrrrr!!! ATTACK!

  155. Steve Armstrong Says:
    April 27th, 2012 at 3:34 pm

    Or like alot of people that are in IT for a long time, they get comfortable (sloppy) once in a while; let’s face it, a 7 char password has no place in the modern internet.

  156. Dom De Vitto Says:
    April 27th, 2012 at 4:19 pm

    Yeah, but apart from loosing a lifetime of credibility with your collegues, peers, friends and family, and having your Windows 8 PC exposed to attack, and loosing all your confidential email, and potentially access to all your websites (that you registered with your hotmail account)…..
    ….was it what you expected?

    Lets be honest, just because it’s a website, doesn’t mean it’s not the same quality of security as every other microsoft product :-(

  157. Anon Says:
    April 27th, 2012 at 4:25 pm

    The hotmail exploit probably had nothing to do with this case.

    Use a strong password generated by an app like KeePass. Use two-factor authentication. Never re-use passwords. Use a password manager for password storage.

  158. Jeffrey Carr Says:
    April 27th, 2012 at 5:59 pm

    This isn’t a Hotmail v Gmail issue. It’s a bad password issue. Any password less than 10 characters can be brute-forced. Think Passphrase, not Password.

  159. Bill Gates Says:
    April 27th, 2012 at 7:53 pm

    “I’m sure there are plenty of people who’ve had their Gmail account compromised too”.

    No there aren’t. Google’s record in this regard may not be perfect but it is much, much, much better than Microsoft’s.

  160. PaulX Says:
    April 27th, 2012 at 8:09 pm

    One of my Hotmail accounts was also recently hacked and sent the same junk to my contacts. Luckily these were only mailing lists so no real harm done. My Yahoo account was also hacked awhile ago, sending junk to real people.
    Since then I have separated people between 3 different accounts, just to be safe.
    I like Hotmail and to be honest I think it is better then Gmail, but I just can’t quite bring myself to use it as my mail email server and I don’t really don’t know why.

  161. Diego Says:
    April 27th, 2012 at 9:55 pm

    I had the same problem with Hotmail and Yahoo Mail. And I’ve to say that Hotmail is the worst of all (at least Yahoo let’s you monitor that there was a strange login in your account, and I’ve used that information + WHOIS to report the spammer to the origin ISP).

    I use three webmail services: Hotmail, Yahoo and GMail.

    GMail is the best by far:
    - It has the best security audit options (you can check where the logins to your account come from).
    - IMAP support (the last time I’ve checked Hotmail doesn’t support IMAP)
    - The responsiveness of the UI: Yahoo Mail is bloated, and Hotmail is painful slow
    - And the best of all… the keyboard shortcuts support, I know that is an advanced option that most of the users don’t know but the keys j,k,x,y became part of my mail reading habits and it really speed things up

    The only reason why I keep Hotmail and Yahoo, is because some people still have those old contacts and GMail POP reading from other accounts doesn’t works so well. Appart from that the only reason to not choose GMail today is if you are concerned with the Google mail content scanning to target ads… but I bet that Hotmail/Yahoo maybe does the same without telling you.

  162. Diego Says:
    April 27th, 2012 at 10:45 pm

    I just read the comments about password.

    Folks is not about strong passwords!!
    Probably the hacks are not brute force ones, any decent server blocks your account if you try to brute force the password.

    The Hotmail hacking must be caused by some exploit like POP3 sniffing (pass goes in plain text in standard POP3), LiveMessenger is another source… whatever.

    And about sites that checks if your password is strong, LOL that’s the most lame thing to do on the Internet: “give me your password, I would check it… and them use it in well know sites like Hotmail”

    The only good measure about password that you can do is to not use the same one everywhere, maybe you create an user in that obscure forum… and you don’t know what they do with your data, or if they have the proper measures to avoid hacking.

  163. ImaWestie Says:
    April 28th, 2012 at 7:06 am

    My wife had her hotmail account hacked while the only computer she ever used was a laptop running ubuntu connecting via WPA-2 with a “sensibly secure” wifi password.

    I think it’s a microsoft problem with hotmail, because it happens with users of a wide variety of user-end device: smartphone, both apple and android tablet, PC’s and laptops running open source, microsoft and apple operating systems.

    And my wife’s password is about 15 characters long, contains upper case, lower case, symbols and numerals.

  164. Rob Says:
    April 28th, 2012 at 8:04 pm

    How can you say this isn’t about strong passwords, Diego? Barry has already said it’s a 7-character lower-case password comprised of an acronym and a proper noun. Barry has declined to confirm what the password actually was but does it not seem likely to you that his password was ‘pcbarry’? Suppose for a moment that it was, as seems entirely plausible, is it now legitimate to say it’s not about strong passwords? I’d hazard that this explanation is far more plausible than some ‘man in the middle’ using a packet sniffer to get his password.

    What’s important is that Barry didn’t follow Microsoft’s recommendation when reviewing their product and then saw fit to judge them as not being trustworthy. Surely it’s not just me who sees the double-standard and the hypocrisy here?

  165. Jay Says:
    April 29th, 2012 at 5:27 am

    Barry, more than likely your password was not hacked. You probably got Firesheep’d when using Hotmail on public WiFi- you should have turned on HTTPS on your Hotmail account. While Microsoft should enable HTTPS by default, as a tech journalist you should be educated about how to stay safe over public WiFi, shouldn’t you?

  166. D Says:
    April 29th, 2012 at 10:46 am

    As a specialist in fraud risk management I can sympathise. I also had the same issue with hotmail. And my password has a number and piece of punctuation in it…

    Shut down my hotmail account, never again.

  167. Charles R Says:
    April 29th, 2012 at 1:49 pm
    Seems there was a bet that ANY hotmail account could be hacked in under one minute. They just changed the password didn’t matter how strong it was.

  168. Sharmil Says:
    April 29th, 2012 at 2:28 pm

    Dear Barry,
    I thought only yahoo is suffering from this vulnerability. Actually you account is hacked by an automated script running in many sites in the internet and not hacked by any one in person. Though the script would be definitely belonging to some hacker group but the bottom line is, it is an automated attack.

    Any email account including gmail can be hacked in this manner.

    How it works?

    If you have your email account logged in and open in one tab and in other tabs u r surfing other websites then as soon as you surf any website which is infected by that malware(which runs email hijack scripts)then it is able to somehow get your password and it automatically sends spam to some of your contact list, delete it from sent items and even from trash. It continues to use your account for sending spam periodically. And all this is done automatedly by a script and not by a dedicated person.


    Simply changing the password would work, till you go visit the infected site again with changed password.

    It is to be noted here that the strength/weakness of password, the email service doesn’t matter at all. It is just that you need to visit the infected site with you email id signed in(gmail, yahoo, hotmail, aol any) and you are hacked.

    How to detect:

    It can only be detected if you get reply from any of the recipients. In my case i was gratefully lucky that one of the recipient was my own gmail id.

    Or if the service provides log in info like gmail then you can detect it from that also.

    It is widespread and worldwide affecting and compromising millions of email accounts in a very clean way.

    Sometimes if you are lucky and using chrome then it will warn you with red page before visiting the malware infected website, in my case it warned. But as my laptop had latest antivirus installed with internet security i ignored that warning with confidence. And in the evening got spam mail from my yahoo id to my gmail id.

  169. Wack0 Says:
    April 29th, 2012 at 7:50 pm

    You don’t need a hotmail account to link to win8 etc, only a windows live account, which can be for *any* email address. And in fact, my main Windows Live account is for an email address which doesn’t even exist anymore!

  170. Nebs Says:
    April 30th, 2012 at 9:31 am

    D: “As a specialist in fraud risk management I can sympathise……Shut down my hotmail account, never again.”

    Why were you using it in the first place? I can only assume you failed to conduct a risk assessment in the first place? LOL

  171. Daniela Ortu Says:
    April 30th, 2012 at 11:45 am

    Well I had people using hotmail having the same issue as well as yahoo and even a friend on GMAIL with exactly the same I guess it is not really down to hotmail then! I personally use hotmail only for the junk and gmail as my main email address… still it seems that no provider is totally free from spam…

  172. Neil Says:
    April 30th, 2012 at 2:46 pm

    Well… I very much look forward to hearing what MS tell Barry about his specific hack. That’s if they ever tell him the truth AND also allow him to share it with us… A bunch of us went off down the “reset exploit” path, quite forgetting that Barry had said right at the start that he was still able to log in (i.e. no password change). OOPS ;-)

    @DVD (#151,#153): you mention rainbow tables – but (surely) that makes no sense unless you have a password hash to attack in the first place. And actually I disagree about 8 billion – it’s a very very big number if you only get 10 guesses at a time. I’m glad you don’t seriously believe that it was brute-forced.
    You mention social engineering too – if by that you mean educated guesswork then yes, certainly, someone can choose a bad 7 character password (”pcbarry”? :-) ) but that doesn’t mean that all 7 character passwords are easily defeated.
    Regarding unencrypted sniffing, I remind you that HTTPS is used for the login sequence, even if it isn’t on for the rest of the traffic. Is it even possible to turn off HTTPS for Hotmail login? And if so would anyone sane do it??

    Look: I’m not advocating 7 character lowercase passwords for all. If the password hash is available, it could be trivially cracked. But if the hash is NOT available, and the guess rate is constrained to a fairly low value (e.g. CAPTCHA as Hotmail apparently use) then let’s be real – you’d still need to be spectacularly unlucky to get brute-forced. Ballpark estimate: 40 man-years of CAPTCHA recognition to let you explore 10% of the 8 billion options, at 10 tries per CAPTCHA. (And is it not likely that Hotmail’s security systems might take a different tack after a few thousand failed attempts on an account?)

  173. Karim Hosein Says:
    April 30th, 2012 at 7:04 pm

    I do not think the strength of his password is at issue. I get more spam from yahoo mail than hotmail and no spam from gmail (thus far) but my wife had a yahoo account with an eight-character non-dictionary password including upper case, lowwer case and numbers and it still got hacked. Yahoo said, “change your password” which she did and the spamming continued.

    She moved to a GMail account with a similar password and no spam to date.

    I do not think spammers are hacking the passwords; I think they are hacking the system to spam through any existing account without the need for a password and I think that that is the strength of GMail, it keeps its system secure from spoofing through its servers.

  174. Karim Hosein Says:
    April 30th, 2012 at 7:29 pm

    …In other (old) news, security sites claim that password length is not relevant to cracking ease unless cracker knows the password length in advance.

    If my password had to be between 4 and 12 charaters long, cracking a 4-letter password would be just as hard as a 12-letter password because every combination between 4 and 12 must be tried.

    Password complexity introduces better protection against dictionary-based attacks but still does not help against brute-force attacks which may take longer but just as effective regardless of password length.

    The best protection is securing the system with intrusion detection and prevention features, something that falls on the heads of the service provider and not the end-user.

    Still, I always recomend passphrases with character substitutions for the old-school, sophisticated, targeted hackers who depend on knowing their victims minds.

  175. Andrew Says:
    May 1st, 2012 at 10:08 pm

    Here’s the answer:

    Microsoft’s password change facility got hacked.

  176. Xara Says:
    May 2nd, 2012 at 12:52 am

    Any ideas how they managed to hack you?

  177. kk Says:
    May 2nd, 2012 at 10:37 am

    My hotmail account (with a strong password) was hacked on 20th Apr. It’s still locked out on 2th May. The only thing I can do, is to change my hotmail password. Doesn’t help.

    Besides of that, using the password reset function and my hotmail account, my Twitter and Facebook accounts have been hacked as well.

    How to get opened? No help/information from Microsoft – at least yet.

    Here we are and it seems that I’m definitely the onlyone (ref

  178. Void Says:
    May 3rd, 2012 at 5:42 pm

    Makes me remember an old xkcd comic

  179. Shady Says:
    May 3rd, 2012 at 8:28 pm

    Yup, it’s disastrous alright. Just before I came across your blog, I had a little too much time on my hands and decided to check out Hotmail again and see if it’s gotten any better than I used to know it (I moved to Gmail six years ago, too.) So, I reactivated my old account and all, and went through all the sites, forums and what not that I’m registered in (the ones I could remember, anyway) and changed my email address. A mere one day in, I log back into my account after having left it unattended a few hours, and lo and behold: 80-something “delivery status notification” messages. Yup, I’ve been hacked. Yup, Hotmail is still as insecure as ever. Yup, it still sucks. Moving back to Gmail tonight. I mean, Windows 7 is great and all, but Oh my God! Microsoft ain’t worth jack **** when it comes to web-based stuff.

  180. Rob Says:
    May 4th, 2012 at 10:15 pm

    Any chance of an update on this please, Barry – even if it’s to confirm that Microsoft are still investigating? Thanks.

  181. June Says:
    May 5th, 2012 at 2:53 pm

    When sending to a group of people – always use the BCC line – then as a return in the TO: set up a dummy account such as the one above. I go in it once a month and clean it out.
    Works great.

  182. Orologos Says:
    May 7th, 2012 at 1:36 pm

    My son’s Hotmail account was also hacked last week, and used to send a link to a fake Windows Live homepage. He had quite a strong password. Like Barry, the password was not reset. I have no idea how it was done.

  183. Joe Says:
    May 17th, 2012 at 8:26 pm

    Again anecdotally, I receive perhaps a dozen a year ‘hacked’ mass emails from friends’ hotmail accounts, and I have never received a single one from gmail, or any other email provider.

  184. Carpentry in London Says:
    May 19th, 2012 at 12:27 pm

    Hotmail is used for MSN. That`s all. :)

  185. Fergus Says:
    May 23rd, 2012 at 8:08 am

    Slightly embarrassing for the editor of PC Pro to have an unsecure password! I’m genuinely surprised that anyone that is at all techy doesn’t use some kind of password management software.

    I use and highly recommend Passpack. I have over 550 unique logins stored in it (I run an online business so probably more than most).

    It is genuinely scary that if someone who should know about online security doesn’t practice good techniques then what does everyone else do!

  186. Hwsuite Says:
    June 2nd, 2012 at 10:52 am

    My Hotmail a/c was hacked a few days ago, how it’s resolve

  187. Julie Says:
    June 17th, 2012 at 9:11 pm

    Husbands hotmail hijacked last night and spam sent to all contacts. Hotmail blocked address and notified him to reset password with a code texted to his mobile phone. All worked well. HOWEVER, and very strange, one of his contacts and workmates was also hacked at the same time.

  188. Bryan Says:
    June 18th, 2012 at 6:14 am

    Same here. My wife’s and daughter’s hotmail accounts both hijacked and sending out similar spam within hours of each other, then my father-in-law’s (on both their contact lists) a few more hours later. Wife and daughter haven’t used hotmail in weeks. Is this an attack on hotmail?

  189. John H Says:
    July 17th, 2012 at 4:12 pm

    I don’t doubt the importance of password security, but is this always a case of hacking? Couldn’t it be SPOOFING instead? It’s my understanding that, because of the inherent insecurity of the email system, the same thing can happen if ANYONE with your email address in their address book has a virus or trojan on their PC. As PC professionals know, the return address for a message can be set to anything the emailer chooses, and it’s not difficult to forge the sender address. Unless I’m wrong, this effectively means that anyone can send out bulk emails using anyone else’s address, unless their ISP has strict measures in place to prevent this. Please correct me if I’m wrong.

  190. David West Says:
    July 26th, 2012 at 11:51 pm

    I just had an experience that I must write about, and my google search sent me here.
    I downloaded Windows Mmessenger yesterday. I do have a Hotmail account, but have removed all contacts.
    My ‘New” messenger started up with about three contacts – sorry, can’t check back – I have deleted it using IOBIT Uninstaller, which worked wonders for my registry.

    It seems that two of the contacts were ‘girls with webcams’, and I decided to chat with one of them, and to try to help her. Whilst doing so ‘girl-with-webcam-2′ contacted me, and when I replied, the reply was addressed from’girl-with-webcam-1′. It was NOT addressed from me, as I would expect. Maybe I poked a wrong button, but I hadn’t done any button-poking that I recall.

    This is horrendous. Some poor person could be completely, unnecessarily and permanently embarrassed by having comments put in their mouth.

    I hope you can understand the implications, and can somehow let the Messenger users know.
    If you mail me, I can perhaps be of more help.
    I hope you get to read this

    Kind regards


  191. Obi Two Says:
    October 3rd, 2012 at 2:39 pm

    Any final analysis?

  192. Megan Says:
    March 11th, 2013 at 1:44 am

    You’re all ignoring the obvious: gmail hacked it.

    They know everything about you from their own social-engineering.

  193. Sienna Says:
    September 12th, 2013 at 2:28 pm

    In the same segment, Megan Kelly reported that the government has
    the potential to use your i – Phone to spy on you whether it is turned on or off.
    The manufacturer is based in Germany and makes each product by hand
    which does mean you will have around a 20 day wait, but on
    the upside it does mean that this is one of the true designer
    i – Phone cases you can buy, with each case being truly unique.
    Because so many women are anxious to find out
    if their husband is cheating or not they don’t find
    the proper tools to use.


Leave a Reply

Spam Protection by WP-SpamFree

* required fields

* Will not be published






Your email:

Your password:

remember me


Hitwise Top 10 Website 2010