Microsoft has experienced a data breach that has lasted at least three months. During that time, hackers were able to access affected users’ email addresses, email subject lines, folder names, and email contacts. The breach affected certain users of its web email services: Hotmail, MSN, and Outlook.
A Microsoft support agent’s account details were compromised on January 1, 2019 which allowed the attackers to gain access to information in customers’ accounts. The breach was detected on March 28 and Microsoft immediately disabled the compromised credentials. The branch appears to only have affected personal account holders. Corporate users who pay for email accounts were not affected.
According to the incident notification emails sent by Microsoft to affected individuals, the attackers did not have access to the content of emails or email attachments. Only account related information could have been viewed. Affected individuals are not believed to have been put at risk, although Microsoft has warned that they may receive spam and phishing emails as a result of the breach and have been told to exercise caution.
According to Motherboard, the hack is much worse that is being reported. Motherboard was made aware about the breach before it was confirmed by Microsoft and Motherboard’s source said the breach lasted for at least 6 months. Further, the source said the content of email messages could be accessed by the hackers.
Microsoft has not released any information on the number of individuals affected, other than saying that around 6% of accounts that were accessible using the compromised credentials were affected. Since the number of accessible accounts is not known, it is impossible to tell how many users were affected. Microsoft says only a small number of accounts were affected, although Motherboard’s source said the breach impacted a large number of accounts and that the compromised credentials belonged to an individual with high level privileges.
Microsoft is downplaying the breach and many questions about the nature of the breach, its extent, and what the attackers did with the credentials remain unanswered.