This one appears to be the first known instance in which users actually lost their Hotmail passwords.
"We're not aware of any [previous] passwords successfully stolen in this type of exploit," said Hotmail product manager Laura Norman.
The Trojan horse password-stealing scheme involved an emailed attachment with a Web page link. A script running on the attacker's Web page then negotiated a request to change the password with the Hotmail server, locking the user out of the account and giving the attacker access to it.
Hotmail was not more specific on the mechanics of the script or how the hole was patched. Norman did say Hotmail would step up its education efforts to users regarding the safety of opening attachments.
"We are increasing our messaging to users about only opening attachments from trusted sources," she said.
The perpetrator's Web site was hosted by free home page provider Tripod, which is owned by Lycos. Norman said that Tripod was "very cooperative," but she declined to state whether the firms were taking action against the password thief.