News

Outlook.com hack much worse than initially thought

Microsoft says a "limited subset of consumer accounts" were accessed via compromised credentials, but reports suggest it's much worse

15 Apr 2019

A hack that Microsoft said affected "some" of its users' email accounts is much worse than initially thought, according to reports.

On Saturday, the company confirmed that some users of its email services had been targeted by hackers. But the issue is thought to be much worse than previously reported as the hackers were able to access email content from a large number of Outlook, MSN, and Hotmail email accounts.

The tech giant has been notifying Outlook.com users that the hackers were able to access their accounts for the first three months of this year after it discovered that a support agent's credentials were compromised for its webmail services. This resulted in unauthorised access to accounts between 1 January and 28 March 2019.

According to Microsoft, the hackers could have viewed account email addresses, folder names and the subject lines of emails - but not the content of the emails or any attachments.

"We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators' access," said a Microsoft spokesperson in an email to Tech Crunch.

However, in March - before the company publicly announced the attack - an unnamed source told Motherboard that this abuse of customer support portals allowed the hackers to gain access to any email account as long as it wasn't a corporate level one.

"We have identified that a Microsoft support agent's credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account," a Microsoft email posted on Reddit said.

It's not clear how many users have been affected by the breach, or who the hackers are, but they weren't able to steal login details or other personal information. As a cautionary measure, Microsoft is recommending that affected users reset their passwords.

"Microsoft regrets any inconvenience caused by this issue," says the security notification. "Please be assured that Microsoft takes data protection very seriously and has engaged it's internal security and privacy teams in the investigation and resolution of the issue, as well as additional hardening of systems and processes to prevent such recurrence."

This latest security incident comes just weeks after a former security researcher pleaded guilty to hacking into Microsoft and Nintendo servers at Blackfriars Crown Court. And, Microsoft's Windows development servers were breached for a number of weeks in January 2017, allowing hackers across Europe to access pre-release versions of the OS.

Interestingly, the time frame for this latest hack means it was going on while Microsoft's Office 365 cloud-powered productivity suite suffered outages across Europe, with users reporting issues connecting to the cloud-hosted email servers back in January.