The admission highlights a widespread Internet security problem known as "data spill." Security experts said similar problems have plagued Internet companies that make personal information available in URLs, or Web addresses.
In Hotmail, the problem crops up when people who subscribe to HTML newsletters open messages that come packaged with banner ads.
"If you have a Hotmail account and you subscribe to an HTML newsletter that serves ad banners, simply by reading the message, the leak occurs," said Richard M. Smith, a privacy and security expert who brought the design flaw to Microsoft's attention in mid-June.
"The source of the problem is that Hotmail includes your email address in the (Web address), and if you read an email that has banner ads" the Web address will be sent to the third-party company delivering the banner, he said.
Microsoft said the problem is core to the technology and the way URLs are constructed. "The company is working on something that will eliminate this error in August," said Melissa Covelli, a Microsoft spokeswoman. "It requires a complete redesign to the technology of Hotmail.
"There's no evidence that any company has noticed this information, and we know that no consumer email addresses have been abused," added Covelli, who said the company discovered the flaw a couple of weeks before Smith's discovery. Hotmail has 67 million subscribers.
Data spills can occur when an HTML page contains an image, or GIF, that is served by a third-party company, such as an ad network. When the image is served, the Web address, including any personal data, is sent to the third-party server so that ad network can know where to deliver the image.
These kinds of data spills abound on the Web.
"This isn't just local to Hotmail; we've seen hundreds of instances of data spills over the course of this year," said Debra Pierce, staff attorney at the Electronic Frontier Foundation, which has been studying the occurrence for more than a year.
Sony, for example, had a software flaw last year that allowed advertisers to view email addresses of Sony subscribers on their Infobeat newsletters. Butterball's electronic newsletter also inadvertently divulged private information about its subscribers last year.
Pierce listed AT&T, Yahoo, BellSouth and America Online as other companies that have mistakenly leaked information about their online customers.
"In many of these cases people are thinking their private information is private, and it's not. People aren't always aware that this is happening," Pierce said.
Since its launch, Hotmail has been haunted by problems with its free email service. Last month, after a five-day outage, the site deleted some of its subscribers' address books, personal folders and archived emails.
Smith, who estimates that the problem has existed on Hotmail for the past six months, said that more than a million Hotmail email addresses may have been given away. While he estimates that nearly 20 ad networks are receiving the usernames, Smith said that most of the big ad agencies, including Engage and Avenue A, are throwing away this information.
DoubleClick, the Web's top ad network, said it doesn't record such information.
"DoubleClick's ad servers automatically truncate any personal information that may be inadvertently sent in a referrer URL," said Jules Polonetsky, chief privacy officer at DoubleClick. Polonetsky said the ad network learned about the data spills several months ago.
Smith also said that a small number of email addresses may be leaked to advertisers from the Hotmail site itself.