Microsoft admits: Yes, miscreants leafed through some Hotmail, MSN, Outlook inboxes after support rep pwned

Email contents exposed for unlucky punters

Microsoft says miscreants accessed some of its customers' webmail inboxes and account data after a support rep's administrative account was hijacked.

The Redmond software giant has sent Hotmail, MSN, and Outlook cloud users notifications that the unnamed customer support rep's account was compromised by hackers who would have subsequently gained "limited access" to certain parts of some customer email accounts, including the ability to read messages in particular cases.

In the alert, Microsoft warns its punters that, between January 1 and March 28 of this year, the attacker, or attackers, would have had the ability to extract certain information from their inboxes, including the subject names of messages, folder names, contact lists, and user email address. The intrusion was limited to consumer (read: free) Microsoft email accounts.

While the aforementioned leaked notification claims the hackers would not have been able to read the content of messages, Microsoft would later admit – after media reports over the weekend – that the intruders could have accessed the contents of messages belonging to a subset of those impacted by the admin account hijacking.

"Our notification to the majority of those impacted noted that bad actors would not have had unauthorized access to the content of emails or attachments," Microsoft said in a statement to The Register.


Microsoft changes DHCP to 'Dammit! Hacked! Compromised! Pwned!' Big bunch of security fixes land for Windows


"A small group (about 6 per cent of the original, already limited subset of consumers) was notified that the bad actors could have had unauthorized access to the content of their email accounts, and was provided with additional guidance and support."

Microsoft would not say just how many people were affected by the snafu.

Redmond would go on to say that it has since identified and revoked the compromised administrator account and believes it has now addressed the problem. Out of an abundance of caution, however, customers whose inboxes were left exposed to the intruder will be getting additional "detection and monitoring" on their email accounts.

Microsoft did not say how the attackers were able to steal the support agent's account credentials, though a report from Motherboard cites an unnamed source as suggesting the attack was part of a larger scheme to obtain iCloud accounts that could be used to unlock stolen iPhones. ®

Biting the hand that feeds IT © 1998–2021