Microsoft suffers from webmail services security breach

Microsoft has reported a breach of its webmail service that exposed a “limited” number of email accounts to criminal intrusion.

Compromised Microsoft webmail services

Microsoft has confirmed TechCrunch today that some of their webmail users saw their email accounts exposed to intruders between January 1 and March 28 after obtaining the credentials from a Microsoft customer support agent.


“We fixed this pattern, which affected a limited subset of consumer accounts, by disabling compromised credentials and blocking author access,” a Microsoft spokesperson wrote in an email. at TechCrunch.

An email sent to affected users indicated that intruders may be able to see a user’s email address, the email addresses of those a user was corresponding with, the subject lines of the email and folder names the user had configured, but not the actual email content or any passwords.

However, Microsoft strongly suggests that affected users still change their passwords for security reasons.

TechCrunch has posted Microsoft’s full email to affected users and we’ve reprinted it below.

Valued customer

Microsoft is committed to providing transparency to its customers. As part of maintaining that trust and commitment to you, we are bringing you up to date on a recent event that has affected your Microsoft managed email account.

We have identified that the credentials of a Microsoft support agent have been compromised, allowing people outside of Microsoft to access your Microsoft email account information. This unauthorized access may have allowed unauthorized parties to access and / or view information relating to your email account (such as your email address, folder names, subject lines of emails. – emails and the names of other email addresses that you provide), but not the content of emails or attachments, between January 1, 2019 and March 28, 2019.

After learning about this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any other unauthorized access. Our data indicates that account information (but not email content) could have been viewed, but Microsoft has no indication as to why this information was viewed or how it may have been used. As a result, you may receive phishing emails or other spam. You should be careful when you receive emails from any deceptive domain name, any email requesting personal information or payment, or any unsolicited request from an untrusted source (you can read more at phishing attacks on https: // docs.

It is important to note that your e-mail login credentials were not directly impacted by this incident. However, to be on the safe side, you should reset your password for your account.

If you need further assistance or have any additional questions or concerns, please do not hesitate to contact our Incident Response team at [email protected] If you are a citizen of the European Union, you can also contact Microsoft’s data protection officer at:

EU Data Protection Officer

Microsoft Ireland Operations Ltd

A Microsoft location,

South County Business Park,

Leopardstown, Dublin 18, Ireland

[email protected]

Microsoft regrets any inconvenience caused by this issue. Rest assured that Microsoft takes data protection very seriously and has engaged its internal security and privacy teams in investigating and resolving the issue, as well as further hardening systems and processes to prevent such a recurrence.