On Friday night, Microsoft sent notification emails to an unknown number of its individual email users—across Outlook, MSN, and Hotmail—warning them about a data breach. Between January 1 and March 28 of this year, hackers used a set of stolen credentials for a Microsoft customer support platform to access account data like email addresses in messages, message subject lines, and folder names inside accounts. By Sunday, it acknowledged that the problem was actually much worse.
After tech news site Motherboard showed Microsoft evidence from a source that the scope of the incident was more extensive, the company revised its initial statement, saying instead that for about 6 percent of users who received a notification, hackers could also access the text of their messages and any attachments. Microsoft had previously denied to TechCrunch that full email messages were affected.
It may seem odd that a single set of customer support credentials could be the keys to such a massive kingdom. But within the security community, customer and internal support mechanisms are increasingly seen as a potential source of exposure. On the one hand, support agents need enough account or device access to be able to actually help people. But as the Microsoft incident shows, too much access in the wrong hands can cascade into a dangerous situation.
“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access,” a Microsoft spokesperson told WIRED. The company says that “out of an abundance of caution” it has increased threat monitoring for accounts impacted by the breach. Microsoft would not comment to WIRED on the scale of the attack or provide the total number of impacted accounts.
More from Around the Web