PSA: Microsoft Outlook Breach Worse Than Expected, Hackers Could Read Emails of 6% of Affected Users

[MacRumors]

Microsoft has revealed that one of its support agent's credentials were compromised, enabling unauthorized parties to access information from a "limited subset" of users, including e-mail addresses, folder names, subject lines, and the names of recent recipients, between January 1 and March 28 of 2019.

It gets worse, unfortunately. In a statement issued to The Verge, Microsoft said that the unauthorized parties had access to the actual content of roughly six percent of affected email accounts, as exposed by Motherboard.

In an email to affected users shared by TechCrunch, Microsoft said it has now blocked this unauthorized access, disabled the passwords of compromised accounts, and increased detection and monitoring to further protect users. Microsoft recommends users change their passwords out of an abundance of caution.

The breach affected a "limited subset" of Microsoft-managed email accounts, including Outlook, MSN, and Hotmail email addresses. No enterprise customers are believed to be affected, according to TechCrunch.

Microsoft told affected users that it has no indication why the information was viewed or how it may have been used. The company has yet to reveal how it discovered the breach, how the support agent's credentials were compromised, or if the agent was a Microsoft employee, according to TechCrunch.

Article Link: PSA: Microsoft Outlook Breach Worse Than Expected, Hackers Could Read Emails of 6% of Affected Users

 

[ArtOfWarfare]

And this is why I always say - never write anything down that you wouldn't want everyone to know. I'm sure the hackers will sell the email content to someone who will blackmail the victims.

 

[GeoStructural]

I am pretty sure I am one of the affected users, I could see weird stuffs last month with my email, I even received a notification of an app permission granted, something I don’t even use.
[doublepost=1555350313][/doublepost]

And this is why I always say - never write anything down that you wouldn't want everyone to know. I'm sure the hackers will sell the email content to someone who will blackmail the victims.

I get your point but it is not just about that. Your work, research, sales, etc. may rely on email and you don’t want unauthorized access to it.

 

[1144557]

I am pretty sure I am one of the affected users, I could see weird stuffs last month with my email, I even received a notification of an app permission granted, something I don’t even use.

Because missing from the story per other news outlets is that the hacker hacked the MS EMPLOYEE, a help agent or something like that, who would have access to review email issues. I guess a support agent type thing? (the arent specific regarding their position) Since only limited data was viewed and not the full email content.

So it wouldn't have looked like anything was wrong.

To be fair no mail servers were hacked here or anything, the employee was. Or just straight careless with their login, we dont know that part; that is why Im not quite ready to hang Microsoft for this

 

[nouveau_redneck]

And this is why I always say - never write anything down that you wouldn't want everyone to know. I'm sure the hackers will sell the email content to someone who will blackmail the victims.

These breeches are typically not about finding users to blackmail. These are typically done to gain access to ones credentials or learn about users for informed phishing attempts.

 

[justperry]

High time for a "internet reboot" 2.0

 

[nouveau_redneck]

High time for a "internet reboot" 2.0

It's high time for companies to be held accountable for breeches in a severe monetary fashion.

The only way they are going to get better at security, or take security seriously, is if it affects their bottom line in a big way if they don't.

 

[justperry]

It's high time for companies to be held accountable for breeches in a severe monetary fashion.

The only way they are going to get better at security, or take security seriously, is if it affects their bottom line in a big way if they don't.

That won't be sufficient, a "internet reboot" 2.0 would be much better.

For instance, your private information stays on your device, end to end full encryption mandatory for the whole internet.
Keys are in your possession, not anywhere else.
Standard opt-out for everything.

 

[1144557]

It's high time for companies to be held accountable for breeches in a severe monetary fashion.

The only way they are going to get better at security, or take security seriously, is if it affects their bottom line in a big way if they don't.

Except this was a support agent employee's credentials that were hacked and used to get in, so how do you fine a company or hold them responsible for what someone was loose with potentially out of the work environment? Other than fire the person what more can the company do? There is always that human aspect that is the weak link.

Its hard to say what more they could have done here without facts; did the employee have it written on a sticky note at lost it being completely negligent? We simply dont have the facts

 

[nouveau_redneck]

So some techs account was "hacked". Does that mean unsafe use of a computer and picking up malware? Does it mean weak password or not changing passwords frequently? Or some other stupid usage.

From my experience the weakest security link in corporate environments are typically ill-informed users or just plain stupid people. Anyone with privileged access should be locked down and audited, single purpose accounts, etc.
[doublepost=1555352287][/doublepost]

That won't be sufficient, a "internet reboot" 2.0 would be much better.

For instance, your private information stays on your device, end to end full encryption mandatory for the whole internet.
Keys are in your possession, not anywhere else.
Standard opt-out for everything.

Intel communities would never allow that to happen.
[doublepost=1555352428][/doublepost]

Except this was a support agent employee's credentials that were hacked and used to get in, so how do you fine a company or hold them responsible for what someone was loose with potentially out of the work environment? Other than fire the person what more can the company do? There is always that human aspect that is the weak link.

Its hard to say what more they could have done here without facts; did the employee have it written on a sticky note at lost it being completely negligent? We simply dont have the facts

Yes, agreed it is usually stupid employees. There is much that can be done to make such people less harmful. See my above post. And yes, the companies need to take responsibility for employees.

 

[1144557]

So some techs account was "hacked". Does that mean unsafe use of a computer and picking up malware? Does it mean weak password or not changing passwords frequently? Or some other stupid usage.

From my experience the weakest security link in corporate environments are typically ill-informed users or just plain stupid people. Anyone with privileged access should be locked down and audited, single purpose accounts, etc.
[doublepost=1555352287][/doublepost]

Intel communities would never allow that to happen.
[doublepost=1555352428][/doublepost]

Yes, agreed it is usually stupid employees. There is much that can be done to make such people less harmful. See my above post. And yes, the companies need to take responsibility for employees.

Im not saying they shouldnt be responsible, but what MORE can you reasonably do when there is a human aspect involved? Sure you can make a new login every day, etc etc etc. But then how efficient is that.

And phishing or something like that would not change the end result of getting in for at least some amount of time; maybe enough to build in a back door way to login.

So then what, a new login every hour? 10 minutes? What is good enough to balance getting work done vs security.

It's a circular argument that could go on forever really.

 

[JetTester]

Yet another huge company gets hacked and loses customer data. Is there no accountability anywhere now?

 

[nouveau_redneck]

Im not saying they shouldnt be responsible, but what MORE can you reasonably do when there is a human aspect involved? Sure you can make a new login every day, etc etc etc. But then how efficient is that.

And phishing or something like that would not change the end result of getting in for at least some amount of time; maybe enough to build in a back door way to login.

So then what, a new login every hour? 10 minutes? What is good enough to balance getting work done vs security.

It's a circular argument that could go on forever really.

What I meant by single usage account, is an account with privileged access to perform actions that affect business such as access customer email data or other responsibilities on servers or business applications. These activities are typically of a limited scope.

A separate account/machine for day to day stuff like internal email, internet, group chat, calendar, etc. This account/machine does not have access to the business critical duties.

 

[justperry]

Intel communities would never allow that to happen.

The EU/some countries might be closer than you think, and internet 2.0 will come.

 

[macduke]

Good thing nobody uses Outlook.com for anything serious, lol.

 

[Rigby]

These breeches are typically not about finding users to blackmail. These are typically done to gain access to ones credentials or learn about users for informed phishing attempts.

The linked Motherboard article mentions that some of the hacked accounts were used to reset iCloud passwords (presumably the affected iCloud accounts were using outlook.com addresses as rescue email addresses) ...

 

[canadianreader]

Gotta love these wakeup calls

 

[Mr. Heckles]

Good thing nobody uses Outlook.com for anything serious, lol.

I like outlook.com WAY more than gmail. Just because you don't, so that means no one uses outlook.com

 

[macduke]

I like outlook.com WAY more than gmail. Just because you don't, so that means no one uses outlook.com

It was a joke about how few people use it. BTW I don't use Gmail.

 

[NachoGrande]

It was a joke about how few people use it. BTW I don't use Gmail.

thousands of companies use it. Including the company I work for with 25,000 users. but yeah few people use it.

 

[Solomani]

I've used Hotmail (personal use), and also am forced to use Outlook Email (for work). Anyone know a good lawyer? Microsoft has a ton of money.

 

[elvisimprsntr]

Since when has M$ ever been known for quality software and robust security that this is a surprise to anyone?

 

[Rigby]

Since when has M$ ever been known for quality software and robust security that this is a surprise to anyone?

Actually Microsoft's newer cloud services, particularly Office 365 (which is used by many large corporations and government agencies), have a good track record and have undergone extensive audits. The consumer Outlook.com service has been migrated to the same software platform a couple of years ago, so you'd expect a similar level of security. But according to the Motherboard article it seems they apply laxer administrative policies to the consumer accounts (granting access to a wider circle of support personnel), which is why enterprise accounts weren't affected. Hopefully they'll rethink that.

 

[C DM]

Yet another huge company gets hacked and loses customer data. Is there no accountability anywhere now?

Was there something mentioned about there being no accountability?
[doublepost=1555381530][/doublepost]

Since when has M$ ever been known for quality software and robust security that this is a surprise to anyone?

Seems like the issue is somewhat different in this case, going by actual details of what was involved. (And that's not to say that even the most robust secure companies can run into a security issue of one kind or another at some point.)

 

[pweicks]

If I started receiving a ton more spam on my outlook as of a couple months ago, does that mean I’m affected by this?