Microsoft confirms managed email data breach

Share

Cybercriminals have compromised a "limited" number of Microsoft email accounts, the software giant has told customers.

The hacker had access to email accounts from Outlook, MSN and Hotmail between January 1 and March 28, Microsoft said.

'Upon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorised access. It's not clear how many users have been affected by the breach.

On Saturday, Microsoft confirmed to TechCrunch that hackers could have accessed affected users' email address, folder names, subject lines, and the names of other email addresses the user communicates with.

More news: Trump Surfaced Sanctuary Cities Immigrant Plan To Distract From Mueller Report
More news: Johnson left red faced after practice swing gaffe
More news: Shots Fired After Ukrainian Ambassador's Car Rammed in Lawless London

The worry was that even limited information like email subject lines could enable malicious parties to concoct a more convincing phishing scam to aim at the user whose email they have (and they could also employ extra details like the names of friends, gleaned from the email addresses the user has contacted).

Email accounts across Microsoft's Outlook, Hotmail and MSN services were left vulnerable for nearly three months after it emerged that hackers had targeted them. Paid-for, enterprise accounts were unaffected-only consumer accounts were hit. "Please be assured that Microsoft takes data protection very seriously and has engaged its internal security and privacy teams in the investigation and resolution of the issue, as well as additional hardening of systems and processes to prevent such recurrence".

Specifically, Microsoft admitted it had sent notifications of a security breach to some users which informed them that their email content had (potentially) been read, but that this only applied to a small amount of the affected users, around 6%. A source described the attack before Microsoft released its statement, and then provided screenshots to prove it. Microsoft then confirmed to Motherboard that some email content had been accessed. It is, however, recommending users to reset their passwords just in case.

Share