Outlook.com hack more extensive than Microsoft first claimed, email contents compromised

midian182

TechSpot Editor
Staff member

On Saturday, Microsoft confirmed to TechCrunch that hackers could have accessed affected users’ email address, folder names, subject lines, and the names of other email addresses the user communicates with. The company stressed that the content of the emails and attachments weren’t compromised.

According to a Motherboard report, however, the hackers could access the contents from a large number of Outlook, MSN, and Hotmail email accounts. The site’s source witnessed the attack and described it in March, before Microsoft’s statement. The hack was carried out by compromising a customer support agent’s credentials. Paid-for, enterprise accounts were unaffected—only consumer accounts were hit.

Motherboard’s source has provided screenshots proving the email contents were, in some instances, accessed. When presented with this evidence, Microsoft admitted this was the case for around 6 percent of a small number of impacted customers.

“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access,” a Microsoft spokesperson said.

Additionally, the source claims hackers were able to access the emails for at least six months—twice the amount of time Microsoft claims—though the company denies this is true.

Even if only a small number of users had their email contents breached, not being totally honest about the situation won’t have done Microsoft any PR favors, and could see customers question any future statements from the company.

Permalink to story.

 
Last edited:

Uncle Al

TS Evangelist
I know that in the past few months the amount of SPAM and general crap has increased significantly. Before that it was very unusual to receive any. I also noticed that their "block" and "spam" filter buttons just don't seem to do anything since I keep getting the same email messages over and over again .....
 

Dimitrios

TS Guru
I know that in the past few months the amount of SPAM and general crap has increased significantly. Before that it was very unusual to receive any. I also noticed that their "block" and "spam" filter buttons just don't seem to do anything since I keep getting the same email messages over and over again .....
Thank god I'm not the only that thinks this.
 

Stiqy

TS Enthusiast
"Microsoft admitted this was the case for around 6 percent of a small number of impacted customers."

So have they notified those customers? Or should there not be some place we can go to see if our particular account was compromised? Seems odd there is no requirement to inform people if they know what accounts hackers had access to...
 

p51d007

TS Evangelist
I know that in the past few months the amount of SPAM and general crap has increased significantly. Before that it was very unusual to receive any. I also noticed that their "block" and "spam" filter buttons just don't seem to do anything since I keep getting the same email messages over and over again .....
That explains a lot! I've noticed my hotmail email address gets anywhere between 200-300 spams per day. The ones that get through though are pretty much THE SAME ones. Luckily, most hit the spam folder.

"The hack was carried out by compromising a customer support agent’s credential."

Gee, wanna bet the customer support agent's location was OUTSIDE the USA? ;)
 

trparky

TS Evangelist
So it wasn't technically a hack in the sense that they used an exploit but it was a hack in the sense that they used someone's account that had... "superuser" access. Great.
 

SalaSSin

TS Booster
According to gdpr this breach should have been reported to a dpa in Europe if European citizens were affected.
Bizarre we didn't hear from this.
And it will be interesting to see what EU will do about this.
 
  • Like
Reactions: JamesSWD

Dimitrios

TS Guru
Wow the last few days I've been getting a lot of scam emails of fake APPLE, PAYPAL, FEDEX, UPS & CHASE bank. All claiming to give my info and log in but I don't have most of those accounts I said above. It's getting annoying. Two had PDF files of " ORDERS" or "RECEIPTS." lol.
 

jobeard

TS Ambassador
Depending upon how you read email, you can create a filter to move them directly to trash when received.

For bad email sources like xyz @ foo.com,
I take the @ foo.com portion and set the filter to Source Contains which will trigger for every user (the xyz portion) on that domain.