Some users of Microsoft’s web-based email services such as Outlook.com had their account information exposed in an incident that, as it later emerged, also impacted email contents.
Microsoft has acknowledged a security incident that, for almost three months, gave hackers access to information related to an unknown number of email accounts on the tech giant’s webmail services, which include Outlook.com, Hotmail and MSN. In some cases, email contents and attachments were also exposed.
According to an email notification that Microsoft sent out to affected users late on Friday (posted on image-sharing platform Imgur via Reddit), attackers broke in by compromising the login credentials of one of its support agents. This gave them access to limited information on some user accounts, including email addresses, folder labels, the subject lines of emails, and the names of other email addresses with which the person communicated.
The breach, which lasted from January 1 to March 28 of this year, impacted a “limited subset of consumer accounts”, so enterprise email accounts were not at risk. Microsoft said that it disabled the support agent’s compromised credentials as soon as it became aware of the issue.
As per the alert sent out on Friday, the emails’ contents and attachments were not exposed. Before long, however, things grew more complicated.
Motherboard quoted a source as saying that in some cases the intruders could indeed also access email content for “a large number of Outlook, MSN, and Hotmail email accounts”. This was apparently because the compromised account “belonged to a high privileged user, meaning they likely have more access to material than other employees”.
Microsoft confirmed for Motherboard later over the weekend that “hackers gained access to the content of some customers’ emails”. These users – who accounted for some 6 percent of all those impacted by the incident – received a separate notification email from Microsoft. The company didn’t reveal how many people overall were affected in either scenario.
At any rate, while no user passwords were compromised, Microsoft recommended that all affected users should change their passwords as a security precaution.
Additionally, since they may find themselves on the receiving end of phishing attacks, they should keep a sharp lookout for suspicious emails. To further thwart account-takeover attempts, it’s also worth enabling two-factor authentication.
written by Tomas Foltyn, ESET We Live Security