When I worked for MSN/Hotmail around 2000-2003, there were dozens of helpdesk folks who had access to an admin panel to easily view any email and could view/edit PII for anyone with very little (if not zero) accounting or auditing. It was protected by plaintext auth and open to the internet.
One employee told me that he caught his wife cheating by reading her mail.
Another used it to recover their own stolen EQ account worth thousands.
I personally used this access to help a friend recover a hacked/stolen Hotmail account. I told them the email address, what had happened to it, and they forwarded me a screenshot of their Passport.NET PII details for them to use the self-service password reset.
Just prior to your mentioned timeline Hotmail was vulnerable via query string params. A rather non-technical friend of mine brought this up in conversation and I didn't believe him, so he told me to log in to my account. He took a quick look at the URL and wrote down a param, then logged into my account on his machine. IIRC it was patched about month later but still, those early days of the web were pretty wild.
In 2002-2003 you could access anyone else's Hotmail account by going to your own Settings page, adding an input field with the ID "SignInName", entering the email address you want to switch to, and clicking Save.
Do you think things like this happen regularly nowadays? Most companies have logging in place but I'd assume there isn't resources to audit those logs unless a compelled by an outside complaint...
I've worked at some rather large companies with insanely relaxed security and auditing standards. I think it's even worse now than before because cloud providers make setting up a database cheap and simple. So today an individual or small team can throw together a production-scale MongoDB in a few hours and start filling it with potentially PII; whereas 10 years ago, something like that stood a good chance of having at least one external DBA/IT-person consulted before going into prod.
My line of thinking is to assume auditing and access controls are lax unless the data in question is part of the company's secret sauce, or is regulated by the government.
I remember knowing people on IRC who "had friends at Microsoft" who could do this kind of stuff to your MSN account, and I heard of people having their accounts stolen, but I never believed it. Guess there was some truth to it...
When I worked for MSN/Hotmail around 2000-2003, there were dozens of helpdesk folks who had access to an admin panel to easily view any email and could view/edit PII for anyone with very little (if not zero) accounting or auditing. It was protected by plaintext auth and open to the internet.
One employee told me that he caught his wife cheating by reading her mail.
Another used it to recover their own stolen EQ account worth thousands.
I personally used this access to help a friend recover a hacked/stolen Hotmail account. I told them the email address, what had happened to it, and they forwarded me a screenshot of their Passport.NET PII details for them to use the self-service password reset.
Obviously not much has changed.