Recap: Microsoft confirmed over the weekend that a “limited” number of customers who use its Outlook.com web service had their accounts compromised. Now, it appears that the extent of the breach was worse than initially reported.
On Saturday, Microsoft confirmed to TechCrunch that hackers could have accessed affected users’ email address, folder names, subject lines, and the names of other email addresses the user communicates with. The company stressed that the content of the emails and attachments weren’t compromised.
According to a Motherboard report, however, the hackers could access the contents from a large number of Outlook, MSN, and Hotmail email accounts. The site’s source witnessed the attack and described it in March, before Microsoft’s statement. The hack was carried out by compromising a customer support agent’s credentials. Paid-for, enterprise accounts were unaffected—only consumer accounts were hit.
Motherboard’s source has provided screenshots proving the email contents were, in some instances, accessed. When presented with this evidence, Microsoft admitted this was the case for around 6 percent of a small number of impacted customers.
“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access,” a Microsoft spokesperson said.
Additionally, the source claims hackers were able to access the emails for at least six months—twice the amount of time Microsoft claims—though the company denies this is true.
Even if only a small number of users had their email contents breached, not being totally honest about the situation won’t have done Microsoft any PR favors, and could see customers question any future statements from the company.