A group of hackers accessed Microsoft email systems and potentially could have viewed information therein for months.
Microsoft has confirmed that a group of hackers accessed MSN, Hotmail and Outlook accounts by compromising a customer support agent’s credentials. Once the issue was discovered, the company said that it disabled the credentials.
In statements made to TechCrunch, Microsoft confirmed the scale of the event after reports emerged that Outlook users were being notified that cybercriminals had been able to access their accounts between 1 January and 28 March 2019.
Microsoft said that these hackers potentially could have viewed account email addresses, folder names and subject lines of emails, and initially claimed that the content of emails had not been compromised. However, it has since admitted a statement to Motherboard that hackers gained access to the content of user emails, revealing the hack to be considerably more serious than first assumed.
Microsoft has also said that the hackers weren’t able to steal login details or other personal information, though nevertheless advised affected users to reset their password. In a security notification sent to these users, the tech giant says it “regrets any inconvenience caused by this issue”. The company has also advised users that they may need to be extra vigilant about potential phishing emails that may masquerade as emails sent from their regular contacts.
There are still many mysteries attached to this breach. Microsoft has not confirmed how many people or accounts were hit by the breach, nor in what territories. It also has yet to confirm how the agent’s credentials were compromised and whether that agent was a Microsoft employee or a third-party worker.
Breach announcements have become a regular occurrence in the cybersecurity world, yet 2019 has seen a particularly intense swell of hacks. Most notably, January 2019 saw one of the biggest reported data breaches in history, which saw close to 773m unique email addresses and 21m unique passwords posted to a hacking forum.
The hack was dubbed Collection #1 by cybersecurity professional Troy Hunt, who first discovered the data breach. Hunt is the founder of Have I Been Pwned, a free service that aggregates data breaches and allows people to use their email addresses to search whether they’ve ever been hit in these kinds of cyberattack.
Collection #1 fails to scoop the record for the largest breach in history, however – that distinction belongs to Yahoo, now owned by Verizon, which had data from a staggering 1bn user accounts compromised in August 2013.