IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Outlook.com hack much worse than initially thought

Microsoft says a "limited subset of consumer accounts" were accessed via compromised credentials, but reports suggest it's much worse

A hack that Microsoft said affected "some" of its users' email accounts is much worse than initially thought, according to reports.

On Saturday, the company confirmed that some users of its email services had been targeted by hackers. But the issue is thought to be much worse than previously reported as the hackers were able to access email content from a large number of Outlook, MSN, and Hotmail email accounts.

The tech giant has been notifying Outlook.com users that the hackers were able to access their accounts for the first three months of this year after it discovered that a support agent's credentials were compromised for its webmail services. This resulted in unauthorised access to accounts between 1 January and 28 March 2019.

According to Microsoft, the hackers could have viewed account email addresses, folder names and the subject lines of emails - but not the content of the emails or any attachments.

"We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators' access," said a Microsoft spokesperson in an email to Tech Crunch.

However, in March -  before the company publicly announced the attack - an unnamed source told Motherboard that this abuse of customer support portals allowed the hackers to gain access to any email account as long as it wasn't a corporate level one.

"We have identified that a Microsoft support agent's credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account," a Microsoft email posted on Reddit said.

It's not clear how many users have been affected by the breach, or who the hackers are, but they weren't able to steal login details or other personal information. As a cautionary measure, Microsoft is recommending that affected users reset their passwords.

"Microsoft regrets any inconvenience caused by this issue," says the security notification. "Please be assured that Microsoft takes data protection very seriously and has engaged it's internal security and privacy teams in the investigation and resolution of the issue, as well as additional hardening of systems and processes to prevent such recurrence."

This latest security incident comes just weeks after a former security researcher pleaded guilty to hacking into Microsoft and Nintendo servers at Blackfriars Crown Court. And, Microsoft's Windows development servers were breached for a number of weeks in January 2017, allowing hackers across Europe to access pre-release versions of the OS.

Interestingly, the time frame for this latest hack means it was going on while Microsoft's Office 365 cloud-powered productivity suite suffered outages across Europe, with users reporting issues connecting to the cloud-hosted email servers back in January. 

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
Attracting and retaining talent through training
Sponsored

Attracting and retaining talent through training

13 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022