The blog says that various users were affected as a result, for example because they used their Hotmail accounts to access services such as PayPal. Allegedly, the vulnerability was also exploited to change the ownership of particularly attractive, short account names such as firstname.lastname@example.org and email@example.com.
Benjamin Kunz Mejri, a security expert who discovered the hole at around the same time as the incidents described above, has released details about the vulnerability in an advisory. According to the expert, the hole was contained in the “password reset” functionality – during one step, the Hotmail server apparently checked the existence of a token but not its value.
The advisory says that by injecting a token such as “+++)-” into certain requests, attackers were able to take control of any account. Kunz Mejri added that he notified Microsoft on 6 April, and that the company fixed the problem on 21 April.