The flaw, which affects a small number of accounts created before August 1999, hasn't been used to compromise any data, said Jeff Jones, senior director of trustworthy computing for Microsoft.
"When we first heard about this, we tried to confirm the issue on eight or 10 accounts and couldn't," he said. "There is a very small subset of accounts that were created prior to four years ago that are affected."
Hotmail accounts that don't have a secret question set for password recovery were vulnerable to being taken over by an attacker. It's the second time in two months that a security issue has been found in Passport's password recover mechanism.
Jones said the company repaired the data error that led to the flaw and is monitoring the accounts that could be affected by the issue.
"They have done a search of all those accounts and have identified no malicious exploits," he said.
The flaw was briefly described in a posting by an independent security consultant who used the name "Victor Manuel Alvarez Castro" on the Insecure.org security mailing list.
"An account for which no secret password exists can be modified by other users by entering a new password," Castro wrote on June 27. "It's easily identifiable because the Secret Question field will be titled like 'notset.'" If you leave the "Secret Question" in blank and then set a new password for the account, you can effectively gain control of the account, he explained.
The flaw comes as a new California law goes into effect that would require companies to give notice to their customers when unencrypted personal information may have been compromised. In this case, Microsoft likely won't have to notify any users, because the company has evidence that accounts weren't tampered with.
Companies that do not comply with the California law open themselves up to civil lawsuits.
