A few weeks ago, I remarked that my Hotmail username and password had been compromised. I had some theories about how it happened but couldn’t quite put my finger on it.
Well, it happened again and once again, I am not sure how it happened.
I was looking into my Hotmail account and once again I got a bunch of NDRs sent back to me. The date of the original message within these NDRs was Oct 27, 2010, 10:58 pm. I scanned my memory banks and I thought to myself “Where was I on October 27 at 10:58 pm?”
As it just so happens, I happen to have a personal blog over at Wordpress. Sure enough, on Oct 27, I published a blog post in the evening around that time. But here’s the thing – I was using a public Internet wifi connection and I wrote the blog post using my iPad (which I won at Virus Bulletin by posting the highest score in a video game). Not only that, I was using a Wordpress app for the iPad. So my original theory was that the Wordpress app was sending my username and password to Wordpress in clear text over a wifi connection. Some piece of malware intercepted it in midstream and sent it back to the spammer.
But that can’t be.
The reason is that I recently transferred over my Windows Live Spaces blog to Wordpress in early October. I used to use my Live Spaces account (Hotmail account) to transmit my user information from Windows Live Writer (clearly not a great idea) to Live Spaces, presumably in clear text (erk). So, when I switched over to Wordpress and used my iPad to write a blog post using the Wordpress app (which I don’t particularly like for other reasons), it makes natural sense that the insecurity of the apps is what caused my password and username to be leaked.
Except that this isn’t possible.
The reason is that when I switched over to Wordpress, I used a different password than in my Hotmail account. Even if my Wordpress information was leaked, it would not work to login to my Hotmail account. Not only that, but I changed my Hotmail account’s password a couple of weeks ago. Thus, somehow, my Hotmail information was leaked around Oct 27, 2010 even though I have not used any application to login to it – neither through the web nor through any blogging software. Quite frankly, I am a little puzzled. Of course, my operating assumption is that the password and username was leaked on or very near to Oct 27. I am very certain I have not logged into my Hotmail account in any form or shape since several days before and after that, until today when I reset my password.
Here’s where things start to get interesting. Long time readers of this blog have heard the tales of my misadventures in China and Peru where a spammer has twice tried to kill me. Over the past few weeks, myself and my girlfriend have been looking at taking a trip to southeast Asia some time next year, probably hitting up Thailand, Malaysia, Singapore or a few other countries. In some of the bounce messages of this recent Hotmail break-in attempt, the attached original spam is present and within it is the originating IP of the computer used to connect to it. The IP address is 184.108.40.206, reverse DNS = 220.127.116.11.adsl.dynamic.totbb.net. The country of origin for that IP is… Thailand.
Well, well, well, Thailand… what a coincidence. One of the countries I am possibly planning on visiting and it just so happens to have a spammer accessing my Hotmail account from it. I think that this spammer is now stalking me; maybe I should start to hunt him down.
Check the hotmail account for a filter that re-directs mail to an address under the control of your attacker. Password change e-mails might be going to the filtered address.
Same happened to my account last night (Thanksgiving Saturday). I did not use public networks, nor did I log on to my Hotmail account this weekend. My password strength is Medium (according to Hotmail meter). 7 characters and letters, mix of upper and lower case. It should be really difficult to break. I suspect this is a breach at the Hotmail side.
I had the same thing happen last night AK and a strong password. I'm not sure how my password was put out there and I'm concerned for what else they might have!
Did your account get hacked because you have a "Security Question" which is contains information which is discoverable on the internet?
My wifes hotmail account was also hacked recently (for the 2nd time) and apart from the spam sent to all her contacts, her adress book was also deleted. We had set up a very strong 15 character password too. I have scanned all pc's for malware etc, but nothing detected.
As per David Kennedy's post, check the filters, as upon checking my wifes hotmail account settings, we found that all messages were being forwarded to a person whom we don't know at a msn.com address.