Since so many are missing this, I thought I'd do everyone a favor and repost
it with caps in the subject. It was easy to miss before. This was posted
by Russ Paul-Jones.
----------------------------------------------------------------------------
--
Redmond, July 18, 2004, 22:00 PDT
I'm sorry that this post is so late, and I know that folks are frustrated
with the lack of communication. We have been on the verge of good news all
afternoon (and evening), and it is here.
I'm happy to announce that we have published a solution to the sign-in
problem. Users that have been unable to use the passwords or work with their
files offline should follow the directions at:
http://sync.money.msn.com/help/pss/w1.asp
I know that there are additional questions, which I have answered below.
Q1: What happened with our passwords?
A1: On Monday, one of our servers was updated and inadvertently
pointed to the wrong location to verify authentication. The authentication
process worked perfectly - we caused the problem by looking in the wrong
server location. This mistake only affected Money services. (If you think of
your login information as a key, and our servers as a lock, then we changed
the lock on the safe, and the old key wouldn't work anymore. There is no way
for the user [or anybody else] to create working login information. The good
news is that nobody could open the local file because of this mistake at any
time; your information is still protected.)
We corrected the "wrong server location" problem Tuesday morning, and users
who did not login between late Monday afternoon and Tuesday morning should
be able to use their files normally.
Those who were affected may continue to be affected, however, since Money
downloaded some of the garbled information from our servers. (Basically, we
made a copy of the lock on your local file. Why did we do this? Because when
you change the lock yourself, you don't want the old key to continue working
on your local file. You also wouldn't want there to be an easy way for
somebody on your machine to ignore the change in the locks. Of course, we
will look at this scenario to see if we could solve it without decreasing
security in the future.)
This situation has not caused any violation of our users'
privacy, and our online services have continued to be available.
Q2: How does the fix work?
A2: We have carefully recreated the incorrect environment of Monday
evening and a Web page to access it. The web page will allow affected users
to login with their current information and recover the lock information
that has locked them out. This will allow them to unlock their file. It is
important to note that users who changed their password should use their new
password, and that no user will be able to access the lock information for
another user.
Again, this solution does not violate our users' privacy. We are
using your login information to restore the lock to your unique key.
Users who have been unable to access their local files should
open a web browser to http://sync.money.msn.com/help/pss/w1.asp and follow
the directions on that page.
Q3: Why did it take so long?
A3: We have addressed the problem in stages. Our first efforts were to
restore the correct configuration of our servers, while preserving the state
they were in for investigation.
Then, we started a careful investigation of the impact on users. Naturally,
we are very careful when dealing with users' login information and follow
strict procedures to protect their privacy.
We have identified three different states that users' files can be in, and
we worked on fixes for all of them. We realize that it was important that
the fix be thorough.
At all times we were working as directly and hard as possible at getting a
solution out to the affected users as soon as possible.
Q4: What if I still can't access my file?
A4: You should send email to mnyngsup@microsoft.com.
Q5: Was this Passport's fault?
A5: No. Passport was working correctly, and always did work for access
to our online services, such as MSN Bill Pay. The issue relates to Money's
server interactions with local Money files.
Q6: Why does Money use Passport for the local file?
A6: We use Passport for a number of web services at Microsoft,
including financial web services that we offer through Microsoft Money.
Since the local file can access these services, the file needs to be
protected as well. For ease of use, we use the same system, Passport, to
protect access to the local file. Users that do not use the web services do
not have to use Passport for the local file.
-Russ Paul-Jones
MSN Money