Hey! My friend’s account was hacked!

Hey! My friend’s account was hacked!

  • Comments 51
  • Likes

At Hotmail, we know that account hijacking is a big problem, and we continue to work hard to prevent it. We’ve noticed a couple of things about hijacked accounts. First, many accounts have weak passwords that make them easy targets for hijackers. Second, when someone’s account gets hijacked, their friends often find out before they do, because the hijacker uses their account to send spam or phishing email to all their contacts.

These two observations led us to develop a couple of new features that help protect your accounts. The first lets you report a friend’s account as compromised – a feature unique to Hotmail – and the second prevents you from using common passwords that make your account easy to hack.

Getting spammed by a friend

Maybe you’ve had this happen to you: You sign in to Hotmail, and you see you’ve got new mail from one of your friends. You open the message only to discover that it’s spam! Maybe it’s obvious spam – like an ad for a product. Or maybe it’s a more involved story – like a plea for money, with an explanation that your friend is stuck in a foreign country and needs cash, when you know for sure that your friend is safe and sound at home.

Whatever the case, one thing is for sure: this email isn’t really from your friend at all. Instead, it’s from a spammer who has hijacked your friend’s account. When this happens, you probably call or text your friend or contact them on an alternate email address to let them know that their email account has been compromised. But you wish you could do more.

Now you can. Hotmail lets you report your friend’s account as compromised. It’s easy: When you get that spam message supposedly from your friend, you just click “My friend’s been hacked!” on the “Mark as” menu:

My friend's been hacked! on the Mark as menu

You can also report an account as compromised when you mark a message as junk or otherwise move a message to the Junk folder:

Moving messages to the Junk folder

What happens under the hood

Our compromise detection system is always working in the background to detect unusual behavior. When we detect bad behavior from an account (like an account that suddenly starts sending spam), we mark that account as compromised. It’s a bit like your credit card company putting a hold on your account when they detect suspicious activity.

When you report that your friend’s account has been compromised, Hotmail takes that report and combines it with the other information from the compromise detection engine to determine if the account in question has in fact been hijacked. It turns out that the report that comes from you can be one of the strongest “signals” to the detection engine, since you may be the first to notice the compromise. So, when you help out this way, it makes a big difference!

Once we mark the account as compromised, two things happen:

  • First and foremost, the account can no longer be used by the spammer.
  • When your friend attempts to access their account, they’re put through an account recovery flow that helps them take back control of the account.

Making it work with all accounts

We released this feature a few weeks ago. Initially, it only let you report Hotmail accounts that were compromised. But it worked really well – we got thousands of reports of compromised accounts.

Of course, we didn’t want to stop there; we wanted to go a step farther and make it work for any email account. After all, even if you’re a Hotmail user, you probably get email from friends using other email providers, and those accounts can get compromised, too.

We did the work to enable other email providers like Yahoo! and Gmail to receive these compromise reports from Hotmail including those submitted by you, and those providers will now be able to use the reports in their own systems to recover hacked accounts.

So now, in Hotmail, you can report any email account as compromised, and Hotmail will provide the compromise information to both Yahoo! and Gmail.

How well is it working?

We’ve had this feature turned on for only a few weeks, and we’ve already identified thousands of customers who have had their accounts hacked and helped those customers reclaim their accounts. And we’ve found it to be very effective and fast. Accounts that you report as compromised are typically returned to the rightful owner within a day.

An ounce of prevention is worth a pound of cure

Of course, we don’t want to just detect when accounts are compromised; we want to prevent them from being compromised in the first place. That’s why we continue to innovate and build more features to help protect your account.

We‘re making another addition to the long list of account security and protection features that we’ve released over the last year. We will now prevent our customers from using one of several common passwords. Having a common password makes your account vulnerable to brute force “dictionary” attacks, in which a malicious person tries to hijack your account just by guessing passwords (using a short list of very common passwords). Of course, Hotmail has built-in defenses against standard dictionary attacks, but when someone can guess your password in just a few tries, it hardly constitutes “brute force!”

Common passwords are not just “password” or “123456” (although those are frighteningly common), but also include words or phrases that just happen to be shared by millions of people, like "ilovecats" or "gogiants."

This new feature will be rolling out soon, and will prevent you from choosing a very common password when you sign up for an account or when you change your password. If you're already using a common password, you may, at some point in the future, be asked to change it to a stronger password.

Of course, having a strong password is just one step to protecting your account. You should also provide “proofs,” including an alternate email address, a question and secret answer, and, even a mobile number where we can reach you via text message. You can learn more about how to set up account proofs, or go ahead and set up your account proofs now.

Join the fight

When it comes to account security, the Hotmail team is dedicated to doing all we can to help protect your Hotmail account from thieves and spammers. We’ll continue to work to protect your account with new and innovative features, and now you can join us in the fight and help protect your own account and your friends’ accounts, too.

Dick Craddock
Group Program Manager, Hotmail

51 Comments
You must be logged in to comment. Sign in or Join Now
  • @Vonda – changing your password is a good start. You should also check your account out to make sure the hacker didn’t change any account information. Just visit http://account.live.com, sign in, and look at each option, including alternate email addresses, trusted PCs, mobile phone #. If you haven’t already provided a mobile phone #, we strongly recommend that you do. There is more good information here: windowsteamblog.com/.../hotmail-security-updates-protect-you-from-account-hijackers.aspx

  • Vonda
    1 Posts

    How do I tell Hotmail that my account was hacked - i cannot figure out anywhere.  I have changed the password but is there anything else i need to do? My concern is that my contacts are still at risk.  Should i turn off the account to ensure that the hackers do not return? thanks

  • Marah
    3 Posts

    Thanks For The Information ... really good feature

  • @hed95 - that sort of "normal" travel shouldn't cause any problems. I would caution you to be careful about using Internet cafes or any computer that is not yours since there is some risk that those computers may have malware.

  • hed95
    1 Posts

    i live in england but im on holiday in japan and have logged into my hotmail here. when i get back to england and log on will it alert me that my hotmail was used in japan or go through some sort of security check or should it be fine ?

  • @jbeekmans – thanks for the suggestion of a Sidebar gadget for toast notifications. It’s a neat idea. It’s not in our plans right now, but it’s something we’ll think about.

  • @Dick Craddock -

    Thanks for your reply regarding push mail for outlook.

    Regarding toast notifications: instead of using Live messenger (or in due course outlook when push mail is enabled), would it be possible for your team to develop an official gadget (for the sidebar)?

  • I have been locked out from my very old account since four months, and have been writing to robots who spent their time replying that they could not identify me, only solution being to forget ths email and all the data on the Skydrive for example. They had copies of "Microsoft" mails to me, up to my credit card details, you just name it, they could get copies of some of what was on the Skydrive but they refused, all to no avail. Robots.

    Fact is that I suspect even that my account was not hacked, just a large number of non delivery returns from a mailing, using Live to channel my NPO domain name emails on my account ..... So what ?

    I opened a new hotmail account, waiting to recover the other one. Surprise, the first 2 e-mails came from Microsoft:

    From: Microsoft (cnfrmpro@microsoft.com)

    and

    From: Microsoft (cnfrmpro@microsoft.com)

    validating my subscription to Visual Studion, and YES, both are classified as "This message looks very suspicious to our SmartScreen filters, so we've blocked attachments, pictures, and links for your safety.". GREAT.

    And the third one, from "Welcome to The Windows Blog‏" (hello guys), originator

    From: The Windows Blog - Automated Email (wvblog@microsoft.com)

    is considered as spam under the heading "Microsoft SmartScreen has blocked this message for your safety and we'll delete it after ten days.". WOWW

    Robots. If Microsoft detects their own messages as being spam, I start understanding that my account has so called been "hacked" (I never had any special quantity of spam on my old account, reason why I conclude this, nobody of my family (I only kept close relatives in my contacts) has ever indicated that my old account was spamming ...

    After four months battle I thought I was getting nuts, too small against Microsoft. I'm happy to see that Microsft started it's battle against itself. Who will win, intelligence or stupidity, the bets are on !

    But someday I want to recover my Skydrive, otherwise guys, avoid that place by any means, robots are lurring you to lock you out.

    Have a great day

  • useful post.

    thanks

    www.recharge.ir

  • RaNdAlL
    1 Posts

    Hey! My account was hacked/hijacked! What about the person that account got hacked/hijacked what are they supposes to do if they  want to keep there address it almost impossible to prove the account is yours Ive tried. I gave all the info I had and it still wasn't enough. I still like to have my account back some how !!! PS. I didn't ask to be hacked/hijacked almost any password can be hacked if the hacker is good enough !!!!

  • @Dick Craddock:

    Thanks very much for the updates. Now everything works fine at my end. I really appreciate your efforts for prompt actions and every other things. Thanks again.

  • @langware (and others) – We’ve made a fix for the issues on non-IE browsers (missing right-click menu, etc.) and we’re rolling it out. In order to roll it out as quickly as possible, we’re doing an update to just the static content rather than a full release. The way the static content update works, some machines get the bits faster than others. So, it is actually possible that you’ll see it fixed, then broken, then fixed, if you just happen to hit the right machines in the right sequence. It should all be cleared up in short order. Apologies for the inconvenience, but this was the fastest way to get the fix out.

  • langware
    154 Posts

    I just checked again and now everything is fine (the expected "right-click" context menu appears). Sorry for the above post ... but for about 5 minutes, the "right-click" context menus did not work. I signed out, and back in ... I shut down and restarted my browser, and then signed back in ... and still the right-click menus did not work.

    I read one post where someone said it takes awhile for the feature to "load". I'm on a cable connection with 20 Mb/s download speeds ...so I've not seen any delays for Hotmail features to load.

    Any ideas on what could have caused the right-click context menus to stop working on server COL101 for 5 minutes?

  • langware
    154 Posts

    @Dick Craddock,

    Just checked my email (server: COL101) and the "right-click" problem is back!!!!

    Is it possible that( on at least server COL101) this problem has again "regressed"?

    What's going on??

  • langware
    154 Posts

    @Dick Craddock,

    Regarding the right-click "regression" problem ... many customers (including me) are reporting on the Windows Live Solution Center (WLSC) that the server hosting their account has been fixed. Thanks for the quick response!

    Unfortunately, as recently as two hours ago, WLSC moderators have responded with this generic reply (to customers reporting the "right-click" problem):

    "I suggest to optimize your browsers to rule out any browser issue ..."

    Clearly, optimizing ones browser will not fix the "right-click" problem.

    Is there nothing that can be done to improve the quality of responses that customers receive from the WLSC? The moderator who used the above-mentioned generic response was clearly unaware that a fix was being rolled out to correct the problem.

  • @Regunathan Umapathy - thanks for the feature suggestions. Of course, I can't comment on future releases, but I can say that we're working on some cool stuff, so please stay tuned!

  • @sumitmehta - thanks for the report. We're aware of these issues, and we're looking at them in hopes of getting fixes out soon.

  • @jbeekmans - you can get toast notifications in WLM through Messenger. I agree push mail for Oultook would be great, so we'll think about how to do that one.

  • @Dick Craddock:

    After the fast development of Hotmail this year, there is only one thing i'm looking for: push mail when using Outlook (connector) or WLM. It would be really nice if one receives a notification when there is a new message instantaneously. Even better would be the situation that the message is immediately pushed to Outlook.

    Thanks in advance.

  • @Dick Craddock:

    I have also noticed following issues while accessing hotmail from Chrome and Firefox 5 in Win Xp:

    1. Right click context menu is not loading

    2. Drag and drop e-mail feature is not working

    3. Hotmail Active view feature is not loading.

  • langware
    154 Posts

    @Dick Craddock:

    THANK YOU for the quick response .... I really appreciate it!!!!!

  • @langware - regarding the right-click functionality: Yep, that's a regression, and we have reproduced it as well. Although we don't comment on future releases, I do expect we'll get this fixed. Thanks.

  • langware
    154 Posts

    @Dick Craddock:

    Right-clicking an entry in one's Hotmail inbox no longer produces a context menu. This happens for all major browsers except IE.

    I've reported this problem on the Windows Live Solution Center (WLSC) over a week ago (others have also reported it), but other than acknowledging that this problem has been reproduced, the WLSC's moderators have not reported any progress, status, or feedback on when/if the problem will be fixed.

    I'm sorry for the off topic post here, but it appears that reporting this problem on the WLCS has not done much good. Perhaps you can forward this information to the proper team. It would be nice to get some acknowledgement that they are aware of the problem and are working on a fix.

  • @ Dick Craddock, I am glad to hear that you like the idea of IP monitoring. I highly appreciate if could implement it not only in the hotmail/livemail but also in the Mircosoft Exchange. Also appreciate if you can incorporate tags in Hotmail which is more useful as single email can have multiple tags. Putting in directory is seems to be not that efficient based on my experience.

  • MNikkiB
    1 Posts

    Why was the "Customer Support" option removed from the password reset wizard?  That option saved a lot of time.

  • Awesome! Great job, Microsoft!

  • SNap
    1 Posts

    I have the exact same problem as atoast.  I created a Live ID account a long time ago and the security code is not working - says I attempted it too many times (although it was not me that attempted it - perhaps the person trying to hijack my account?) and the recovery email address is no longer valid due to being from an ISP that I am no longer with...  

    Opening a Live ID support case is useless - I dont think they even read the messages you type there as they are simply telling me to "Create a new account" the problem (which they would know had they read the message I typed) is that this account is linked to my Xbox Live gamertag and I cannot link it to a different Live ID until I recover the password for this old account!

    So basically they are trying to tell me to create a new Xbox Live gamertag - RIDICULOUS - is there no one at Microsoft that can help with this???  Heck I'd even be happy if someone could link my gamertag to a different account for me and I will forget about this old account (thats all I want to do in the end anyways!).

  • controlz
    145 Posts

    This isn't related, but what the heck has happened to Linked IDs? The service is down, and has been for a while. It's been removed from the Account page, as well!

    Please bring this feature back... and soon.

  • gerstke
    1 Posts

    I have just recently been hacked, and I have been trying to change my password like I should, but my Hotmail will not allow me to do this. Once I click on the "change password" link it takes me back to my homepage of Hotmail. I don't know what to do about this and I really don't like my account being bugged.

  • atoast
    1 Posts

    Several months ago my 13 year old Hotmail account was locked down. I had been noticing that I had received more than the usual amount of "delivery failed" emails in my inbox. I just attributed this to email spoofing, as some of my contacts address books had been compromised (where they had gotten my email).

    I tried to recover my account by filling out the required form. If you haven't seen the form it looks like this:  

    - http://i.imgur.com/gsXN0.png

    I use my hotmail account for IM'ing and not emailing. This made it hard to fill out the fields regarding email: Recent subjects, custom folders (don't have any as far as I remember). I was able to add some contacts to the form.

    Secondly I couldn't remember my secret question. I created this account 10+ years ago and never had the need to recover or change my password. With the fields filled out I tried to submit the form.

    Several days later I received a rejection to the request of recovering my account. I then tried to resubmit the asking, if there was some other ways to claim my identity, e.g. calling a representative. The only answer I got was this:

    "**Please do not reply to this email. Replies will be delivered to an email inbox that is not monitored.**

    Your Windows Live ID support case has been updated with the following response:

    We have concluded our review of the information you provided. Our agents were unable to validate that you are the account owner. The information provided has been reviewed and our agents could not match this information to the account information currently stored for the account.

    Our final recommendation is to create a new Windows Live ID account.

    Windows Live ID Support"

    This is not acceptable. I don't know what has happened to all my contacts, all my old email, etc.

    I know the recovery process works for the majority of users, but you should still be able to handle edge cases like mine.

  • Sheza
    13 Posts

    This is fantastic - but how can I use this feature on the desktop client? I prefer the Windows Live Mail desktop client but the feature is not there?

  • Randa
    9 Posts

    Finally! Now I can help them know their accounts have been hijacked, because sometimes they don't believe you >_<"

  • @everyone - thanks for the positive feedback, and the other good suggestions around IP monitoring, TFA, etc. We are definitely working on more features to keep your account secure. In the meantime, use strong passwords and add your mobile number as a proof to your account if you can. Thanks.

  • @prelud, @langware & others: Good question about “pranking.” We’ve done the work to prevent the system from being ‘gamed’ by people acting maliciously, and, of course, we monitor the ‘false positives’ (i.e., good accounts being falsely reported as hacked). We have the ability to correct false positives and also to tune the system to prevent them in the first place. Remember: it's not enough to be reported as "hacked"; the detection engine also must detect behavior that would be consistent with a compromised account. This is something we monitor closely.

  • PWK
    7 Posts

    @DannyBoy "How come Hotmail truncates passwords to 16 characters?"   Are you for really?  

    If you us a completely radom 16 Chracter password  for example with 5 upper case letters, 5 lower case letters 4 numbers, and 2 special characters there would be  1,445,551,059,490,570,000,000 or 1 sextillion combinations. The estimated gross number of hours to crack: 42,071,072,951.97 hours or 1,752,961,373.00 days.  Number of Keys a Desktop Computer Can Try efficiently in an Hour(=2*2^33) 17 billion tries in an hour using very high performace computers.  

    So what's the need for more that 16 characters?

  • DannyBoy
    16 Posts

    How come Hotmail truncates passwords to 16 characters? And not tell the user about it? Even if 16 chars gives robust protection, the user should be given the ability to use a longer password.

  • Nice Feature... Thanks..

  • I think that many people are completely unaware of Hotmail's new features, like this one. You should promote changes and new features somehow in Hotmail's Home page or through some newsletters that get to every user :-).

    Congrats and keep up the excellent job!

  • Thanks for introducing the feature. I recently had a situation from colleagues who is in Sri Lanka now and his Yahoo! mail is being hacked and received a mail saying that he stuck in Spain from an IP address belongs to London, UK ( By reading the header of the mail). I don't everyone will check the header of the yahoo! mail, but certainly hotmail can be programmed to check this information. Facebook has a security to alert if there is any login attempt other than the device I authorize it.  Gmail offers some feature to view the last couple of longon from the ip address. It would be nice if hotmail can also display the ipaddress of the longon with the possible countries. Certainly one person in Sri Lankan cannot be in Spain with in 4 hours. There is always a time lag to keep an eye on the logon attempts. Futher it would be nice unlike like Yahoo! to provide some ways to recover hacked email as I recently come across that the hacker also changed the secret question then the legitimate person didn't find a way to logon at all.

  • Knightsky
    17 Posts

    @ kylejwx

    "How about a feature like this: Require text message verification in order to change my password".

    The feature would be good except for users that don't have a cell phone and yes they are out there. There are locations that the signal is either weak or nonexistent. Paying for both cell and land-line would be cost prohibited.

  • Knightsky
    17 Posts

    Thanks! I've been waiting for official documentation.

  • kylejwx
    1 Posts

    How about a feature like this: Require text message verification in order to change my password.

  • langware
    154 Posts

    @Dick Craddock:

    Nice work .... thanks.

    Hopefully, the algorithm developed to decide if an account has been hijacked takes into account possible malicious "friends" reports that a given account has been compromised (i.e., false positives). Would hate to see your new feature turned into a tool for harassing people.

    Any thoughts on other possible security feature such as two-factor authentication and the option for a customer to set their default IP address (such that any attempt to sign-on from a non-default IP triggers a request for additional proofs)?

  • 7flavor
    352 Posts

    With the past few updates (since 2010), Hotmail has now leapfrogged Gmail in terms of everything. Hope you don't take features away like you did with the Sign-in page.

  • adacosta
    91 Posts

    Thank goodness for this feature, I have been getting a lot of emails from known friends, inviting me to click some link to check something out, but because I know this is a lie, I just move them to the junk folder. Its good to know that the Hotmail Team is acknowledging this and doing something about this problem.

    I had told a friend who's email was being used for this type of activity, she told me she had abandoned the account years ago.

  • controlz
    145 Posts

    I've now got a strong password! :-)

  • Brien
    9 Posts

    If it's executed well/carefully, this is a great benefit. Thanks. And the link to Yahoo! is especially welcome since that's where some friends have had the worst problem.

  • sunco
    26 Posts

    This remind me the fact that Facebook block accounts without any check at all. I mean, if somebody report my account (by funny) as hacked, what is next? My account is blocked just by that?

  • prelud
    9 Posts

    Say, 20 friends decide to play a prank on someone and report his account as hacked although it is not. Will you lock the poor person's account and run him through the unlock process?

  • sunco
    26 Posts

    @CodingBeaver if is encrypted, lets say MD5 is not so hard to do it.. just need to compare the hash with a dictionary of weak passwords. Example: http://www.md5decrypter.co.uk/

  • I wonder how you can tell if a current user is using a common password, and then ask them to change to a strong password? Isn't their password encrypted?