Microsoft backtracks: Hotmail data "may have been compromised" by Code Red

Microsoft has admitted that Hotmail user data may have been compromised by the Code Red worm, despite earlier assurances that this could not have happened.

It was only last Wednesday that the software giant categorically stated no customer data had been placed in jeapordy after the worm infected two of its servers.

A Microsoft spokesman said at the time: "No customer data was compromised and there was no impact in performance or security."

However, silicon.com has discovered that Hotmail was actually attacked by a variant of Code Red - not the original version. This worked in a slightly different way from its predecessor, and would have opened up a backdoor to the Hotmail servers.

One silicon.com reader - Jonathon Rickman, from security research and incident response team X Corps Security - said even though he supplied Microsoft with evidence which showed Hotmail's compromised system was attacking his, the company ignored him.

The log data from his company's servers shows that the Hotmail system was vulnerabe for over 11 hours on 6 August - and according to Rickman, Microsoft cannot offer a cast iron guarantee that the data was not compromised during that time.

Rickman said: "Microsoft claimed to have discovered the problem on Wednesday afternoon. Bunk! I notified them Monday. Microsoft needs to either tell the whole story, or nothing at all."

However, a spokesman for Microsoft UK said he believes no data was compromised. Two of the 4,000 Hotmail servers were infected, he confirmed, and added that it is "reasonable to assume one of the [infected] machines may have contained user data".

For related news see:
Hotmail falls to Code Red
http://www.silicon.com/a46400
Code Red: Still rearing its ugly head
http://www.silicon.com/a46355
BT systems crash - Code Red attack suspected
http://www.silicon.com/a46325