Microsoft admits: Yes, miscreants leafed through some Hotmail, MSN, Outlook inboxes after support rep pwned

Email contents exposed for unlucky punters


Microsoft says miscreants accessed some of its customers' webmail inboxes and account data after a support rep's administrative account was hijacked.

The Redmond software giant has sent Hotmail, MSN, and Outlook cloud users notifications that the unnamed customer support rep's account was compromised by hackers who would have subsequently gained "limited access" to certain parts of some customer email accounts, including the ability to read messages in particular cases.

In the alert, Microsoft warns its punters that, between January 1 and March 28 of this year, the attacker, or attackers, would have had the ability to extract certain information from their inboxes, including the subject names of messages, folder names, contact lists, and user email address. The intrusion was limited to consumer (read: free) Microsoft email accounts.

While the aforementioned leaked notification claims the hackers would not have been able to read the content of messages, Microsoft would later admit – after media reports over the weekend – that the intruders could have accessed the contents of messages belonging to a subset of those impacted by the admin account hijacking.

"Our notification to the majority of those impacted noted that bad actors would not have had unauthorized access to the content of emails or attachments," Microsoft said in a statement to The Register.

patch

Microsoft changes DHCP to 'Dammit! Hacked! Compromised! Pwned!' Big bunch of security fixes land for Windows

READ MORE

"A small group (about 6 per cent of the original, already limited subset of consumers) was notified that the bad actors could have had unauthorized access to the content of their email accounts, and was provided with additional guidance and support."

Microsoft would not say just how many people were affected by the snafu.

Redmond would go on to say that it has since identified and revoked the compromised administrator account and believes it has now addressed the problem. Out of an abundance of caution, however, customers whose inboxes were left exposed to the intruder will be getting additional "detection and monitoring" on their email accounts.

Microsoft did not say how the attackers were able to steal the support agent's account credentials, though a report from Motherboard cites an unnamed source as suggesting the attack was part of a larger scheme to obtain iCloud accounts that could be used to unlock stolen iPhones. ®


Keep Reading

Tech Resources

How backup modernization changes the ransomware game

If the thrill of backing up your data and wondering if you will ever see it again has worn off, start the new year by getting rid of the lingering pain of legacy backup. Bipul Sinha, CEO of the Cloud Data Management Company, Rubrik, and Miguel Zatarain, Director of Global Infrastructure Technology at PACCAR, Fortune 500 manufacturer of trucks and Rubrik customer, are talking to the Reg’s Tim Phillips about how to eliminate the costly, slow and spotty performance of legacy backup, and how to modernize your implementation in 2021 to make your business more resilient.

The State of Application Security 2020

Forrester analyzed the state of application security in 2020 and found over 75% of external attacks are attributed to web application and software exploits.

Webcast Slide Deck | Three reasons you need a hybrid multicloud

Businesses need their IT teams to operate applications and data in a hybrid environment spanning on-premises private and public clouds. But this poses many challenges, such as managing complex networking, re-architecting applications for the cloud, and managing multiple infrastructure silos. There is a pressing need for a single platform that addresses these challenges - a hybrid multicloud built for the digital innovation era. Just this Regcast to find out: Why hybrid multicloud is the ideal path to accelerate cloud migration.

Top 20 Private Cloud Questions Answered

Download this asset for straight answers to your top private cloud questions.

Biting the hand that feeds IT © 1998–2021