Seattle, May 9 (Reuters): Microsoft Corp. said yesterday a security breach in its Passport online identity service had exposed personal information, e-mail accounts and registered credit card information for an undisclosed number of users.
The world’s largest software maker said it had already fixed the flaw, which affected potentially all of its active 200 million Passport accounts.
The disclosure of the security loophole and the breach comes as Microsoft pushes to make its software more secure, in part to head off fines from regulators and the loss of important government business.
Adam Sohn, a Microsoft product manager for web-based services, said that Microsoft became aware of the problem after receiving an e-mail posting late on Wednesday and moved to block the flaw immediately.
Muhammad Faisal Rauf Danka, a computer consultant in Pakistan, discovered the flaw that let hackers hijack a Passport account by typing in a specific web address containing “emailpwdreset” to reset an account holder’s password, the company said.
The feature was originally meant to allow users to regain access to their account if they had forgotten the password.
Passport, which Microsoft launched in 2001 to make it easier for users to store their information in a central location, is used by a number of other web sites to make it easier for users to register or shop.
Microsoft launched a company-wide campaign last year to improve the reliability and security of its software, which runs on nearly all the world’s personal computers.
The Fair Trade Commission and Microsoft reached a settlement last year over the software maker’s claims over the security features of Passport, which included a fine for future violations of up to $11,000 for each incident.