CNET también está disponible en español.

Ir a español

Don't show this again

HolidayBuyer's Guide
Culture

Hotmail breach prompts Microsoft security audit

Microsoft reveals that it is turning to an outside auditor to test the security of its free email service, Hotmail, after a breach was discovered last week that threatened its users' privacy.

Microsoft revealed today that it is turning to an outside auditor to test the security of its free email service, Hotmail, after a breach was discovered last week that threatened its users' privacy.

Microsoft pulled Hotmail offline for about two hours August 30 after two European Web sites alerted the company that any Net user could access any Hotmail account without a password as long as a user's name, commonly found in a Hotmail email address, was known.

According to security experts, the potential damage varied from allowing unauthorized parties to see a user's list of messages to allowing them to take complete control of an account.

Although Microsoft said it fixed the security problem the same day, it has decided to go a step further by testing the integrity of Hotmail, which has more than 40 million active members.

"We have voluntarily invited a third-party firm to conduct its own inquiry and present us with their findings," Microsoft spokesman Tom Pilla told CNET News.com. Microsoft, in conjunction with Truste, had planned to disclose the news on Monday. Truste is a nonprofit group that acts as a privacy watchdog.

"It's an ongoing process and we're working with Truste on that," Pilla said. "We definitely take privacy very seriously here, and the incident last week was regrettable, but we moved swiftly to resolve any issues."

Microsoft wouldn't provide the name of the auditing firm, which will review Hotmail security but not the security of Microsoft's other Web sites that collect personal information from users.

The move by Microsoft was apparently prompted by complaints made to Truste, which is expected to publish the so-called watchdog reports publicly. Microsoft is a premier sponsor of Truste and carries the program's licensed seal, which informs Web users about precautions a site is taking to protect their privacy.

Privacy seal programs have been touted by the online industry and the Clinton administration as one way to safeguard Net users' anonymity without government regulation. But consumer advocates want stricter laws put in place for the digital age, as Net users are constantly forfeiting valuable personal information in exchange for goods and customized Web content.

The Truste seal usually applies to the use of personal information collected from surfers, but licensees also have to ensure that they will "help protect the security" of the information they store.

Although free Web-based email services are one the Web's most popular tools, they have suffered from service problems in the past.

This is not Truste's first investigation into Microsoft privacy practices. In March, Truste looked into a feature in Microsoft's Windows 98 operating system that could be exploited to collect information about authors of electronic documents without their knowledge through a unique identification number.

But Truste concluded that Microsoft.com, which carries the seal, was in compliance with all Truste principles. The program did state, however, that "while the complaint itself does not pertain to the Web site, Truste believes that is important to note that the transfer of hardware IDs to the Microsoft secure server without customer consent did, in Truste's opinion, compromise consumer trust and privacy."