I’ve just found out that my Windows Live! account was compromised and my (unused) Hotmail account was used to send contacts in my Hotmail address book spam. At first I thought this was a Joe Job until I realised that Microsoft had changed Hotmail so that it’s associated with the Windows Live account I created and not necessarily as a @hotmail.com address.
I tried to delete my Hotmail account and then log back into Windows Live, but alas, logging back into Windows Live then reactivates bloody Hotmail. So I changed the password to something very complex and then nuked my entire Windows Live account. I’ve just gone on to make sure the password that was used with Live and that I’ve used with other public services, has now been changed accordingly – just in case those involved in the compromised try anything else.
But it highlights the problem (other than I had been using a password that was clearly too weak) that these mega profile accounts that hold social networking, email, web albums, etc. etc. are a little too insecure if you’re protecting it with a single password.
I like Google and Google Apps in that they have a very good two-factor authentication scheme that I’ve been using for many months without any issues at all. Even (and this would be difficult) if my password had been compromised you’d still need token based authentication to be able to proceed onto the various Google services where my data is stored. I couldn’t see any such scheme for Windows Live or Hotmail.
Going back to Google for a second, I’m a little concerned that Postini will happily vouch for drake.org.uk even though I don’t send through Postini servers. Google includes the IP addresses of the Postini SMTP farm as part of their SPF record and I don’t believe this is a good idea. Please keep Postini’s SMTP servers away from google.com’s SPF records please, Google.
