In the latest of a seemingly endless string of high-profile hacks, Microsoft confirmed to TechCrunch over the weekend that a “limited” number of people who use Microsoft’s email platforms — including Outlook, MSN, and Hotmail — had their accounts compromised. Microsoft sent an email to the affected users last Friday, alerting them that hackers had potentially been able to access a trove of information, including the subject lines of their emails and the names of the people they’ve emailed, “but not the content of any e-mails or attachments.”
As serious as this sounds, the hack was even worse than Microsoft first let on, as Motherboard reported on Sunday that the hackers were indeed able to access actual emails from “a large number of Outlook, MSN, and Hotmail email accounts.” A source described the attack before Microsoft released its statement, and then provided screenshots to prove it. Microsoft then confirmed to Motherboard that some email content had been accessed.
According to Motherboard, Microsoft sent a separate email alert to about 6% of the affected users, informing them that their email content had been compromised. The breach apparently stemmed from a faulty customer support tool which allowed hackers to access any email account that wasn’t a corporate account. Although the source claims this went on for at least six months, Microsoft says the hackers had access from January 1st to March 28th.
Here’s the full statement from Microsoft’s Information Protection and Governance team regarding the hack:
Microsoft recently became aware of an issue involving unauthorized access to some customers’ web-based email accounts by cybercriminals. We addressed this scheme by disabling the compromised credentials to the limited set of targeted accounts, while also blocking the perpetrators’ access. A limited number of consumer accounts were impacted, and we have notified all impacted customers. Out of an abundance of caution, we also increased detection and monitoring to further protect affected accounts.
The fact that Microsoft did not announce publicly that hackers were able to access and read private emails sent by Outlook, MSN, and Hotmail users is incredibly troubling. It took Motherboard showing photographic evidence to the company before an admission came out. And while 6% might not sound like a lot, Microsoft still hasn’t revealed how many accounts were affected by the Outlook hack in total.