Some users of Microsoft’s webmail services, such as Outlook.com, had their account information exposed in an incident which, as later became known, also impacted email content.
Microsoft has acknowledged a security incident that for nearly three months allowed hackers to gain access to information relating to an unknown number of email accounts on the tech giant’s webmail services, including Outlook. com, Hotmail and MSN. In some cases, the content of emails and attachments were also exposed.
According to an email notification Microsoft sent to affected users on Friday evening (posted on the Imgur image-sharing platform via Reddit), the attackers entered into compromise by compromising the credentials of one of the its support agents. This gave them access to limited information about certain user accounts, including email addresses, folder labels, email subject lines, and the names of other email addresses with which the person communicated.
The breach, which lasted from January 1 to March 28 this year, impacted a “limited subset of consumer accounts,” so corporate email accounts were not at risk. Microsoft said it disabled the compromised Support Agent credentials as soon as it became aware of the issue.
As per the alert sent on Friday, the content and attachments of the emails were not exposed. Soon after, however, things got complicated.
Motherboard cited a source as saying that in some cases, intruders could indeed also access email content for “a large number of Outlook, MSN and Hotmail email accounts.” This was apparently because the compromised account “belonged to a highly privileged user, which means they probably have more access to the hardware than other employees.”
Microsoft confirmed to Motherboard later over the weekend that “hackers have gained access to the content of some customer emails.” These users – who represented about 6% of all those affected by the incident – received a separate notification email from Microsoft. The company did not disclose how many people in total were affected in either scenario.
Regardless, although no user passwords have been compromised, Microsoft has recommended that all affected users change their passwords for security reasons.
Additionally, since they may find themselves at the mercy of phishing attacks, they should keep a close eye on suspicious emails. To further thwart account takeover attempts, it’s also worth enabling two-factor authentication.