A group of hackers accessed Microsoft email systems and potentially could have viewed information therein for months.
According to a new report from TechCrunch, Microsoft has confirmed that a group of hackers accessed MSN, Hotmail and Outlook accounts by compromising a customer support agent’s credentials.
A “limited” number of people who rely on Microsoft-managed email services such as Outlook.com, MSN.com, and Hotmail.com experienced account compromises, reads the report. Microsoft notified users that hackers may have had able to access information about their accounts — including their email address, email subject lines, and frequent contacts — but not the contents of any messages or attachments.
Microsoft in its notification said that the breach first occurred after a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access the victims’ email information, according to Microsoft. Hackers subsequently gained unauthorized access to email account-related information – including email addresses, folder names, email subject lines, and recipient email addresses.
“Upon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorized access,” Microsoft said. “Our data indicates that account-related information (but not the content of any emails) could have been viewed, but Microsoft has no indication why that information was viewed or how it may have been used.”
Microsoft has not revealed how many accounts were affected. Similarly, the length of the breach is unclear — Microsoft claims only three months, though a report from Motherboard indicates it was “up to six months,” with hackers using account access to reset iCloud accounts linked to stolen iPhones.
Considering Microsoft’s reticence to admit that users had email accessed until evidence was provided contradicting that claim, their statements on the breach should be taken with a grain of salt.