Microsoft email breach gave hackers access to account information for months
Microsoft has experienced a data breach involving attackers leveraging a customer support account to access customers’ email information, including the content of some email content, according to news reports.
The company on Saturday confirmed to TechCrunch that a “limited” number of people who rely on Microsoft-managed email services such as @Outlook.com, @MSN.com and @Hotmail.com experienced account compromises. Microsoft notified users that hackers may have had able to access information about their accounts — including their email address, email subject lines, and frequent contacts — but not the contents of any messages or attachments, according to TechCrunch.
Hackers were in fact able to access email content from “a large number” of Outlook, MSN, and Hotmail email accounts, Motherboard reported Sunday. A source told Motherboard reporter Joseph Cox outsiders could exploited a customer support portal to infiltrate any normal customer account, reading contents including the body of an email message. Enterprise accounts were not affected, per Motherboard’s source.
In a privacy notification posted on Reddit, Microsoft alerted customers the unauthorized access lasted from January 1 through March 28 of this year. Motherboard reported the breach may have lasted for six months.
“Upon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorized access,” the company said.
The company has not explained how the breach immediately occurred. Microsoft did not immediately respond to a request for comment from CyberScoop Monday.
Scammers could use the compromised email accounts to launch spam operations or steal users identities.
This breach provides the latest evidence that hackers frequently target Microsoft tools and products. The hackers who stole medical information on some 1.5 million people in Singapore last year accessed that data via an unpatched version of Microsoft Outlook, CyberScoop previously reported.