Some customers of Microsoft’s web-based e-mail companies similar to Outlook.com had their account data uncovered in an incident that, because it later emerged, additionally impacted e-mail contents
Microsoft has acknowledged a safety incident that, for nearly three months, gave hackers entry to data associated to an unknown variety of e-mail accounts on the tech large’s webmail companies, which embody Outlook.com, Hotmail and MSN.
In line with an e-mail notification that Microsoft despatched out to affected customers late on Friday (posted on image-sharing platform Imgur through Reddit), attackers broke in by compromising the login credentials of one in every of its assist brokers. This gave them entry to restricted data on some e-mail person accounts, together with e-mail addresses, folder labels, the topic traces of emails, and the names of different e-mail addresses with which the individual communicated.
The breach, which lasted from January 1 to March 28 of this 12 months, impacted a “restricted subset of client accounts”, so enterprise e-mail accounts weren’t in danger. Microsoft stated that it disabled the assist agent’s compromised credentials as quickly because it turned conscious of the difficulty.
As per the alert despatched out on Friday, the emails’ contents and attachments weren’t uncovered. Earlier than lengthy, nevertheless, issues grew extra sophisticated.
Motherboard quoted a source as saying that in some instances the intruders might additionally entry e-mail content material for “numerous Outlook, MSN, and Hotmail e-mail accounts”. This was apparently as a result of the compromised account “belonged to a excessive privileged person, which means they possible have extra entry to materials than different workers”.
Microsoft confirmed for Motherboard later over the weekend that “hackers gained entry to the content material of some clients’ emails”. These customers – who accounted for some 6 p.c of all these impacted by the incident – obtained a separate notification e-mail from Microsoft. The corporate didn’t reveal how many individuals total have been affected in both situation.
At any price, whereas no person passwords have been compromised, Microsoft really helpful that each one affected customers ought to change their passwords as a safety precaution.
Moreover, since they might discover themselves on the receiving finish of phishing attacks, they need to hold a pointy lookout for suspicious emails. To additional thwart account-takeover makes an attempt, it’s additionally price enabling two-factor authentication.