PSA: Microsoft Outlook Breach Worse Than Expected, Hackers Could Read Emails of 6% of Affected Users

MacRumors

macrumors bot
Original poster
Apr 12, 2001
48,664
10,093



Microsoft has revealed that one of its support agent's credentials were compromised, enabling unauthorized parties to access information from a "limited subset" of users, including e-mail addresses, folder names, subject lines, and the names of recent recipients, between January 1 and March 28 of 2019.


It gets worse, unfortunately. In a statement issued to The Verge, Microsoft said that the unauthorized parties had access to the actual content of roughly six percent of affected email accounts, as exposed by Motherboard.

In an email to affected users shared by TechCrunch, Microsoft said it has now blocked this unauthorized access, disabled the passwords of compromised accounts, and increased detection and monitoring to further protect users. Microsoft recommends users change their passwords out of an abundance of caution.

The breach affected a "limited subset" of Microsoft-managed email accounts, including Outlook, MSN, and Hotmail email addresses. No enterprise customers are believed to be affected, according to TechCrunch.

Microsoft told affected users that it has no indication why the information was viewed or how it may have been used. The company has yet to reveal how it discovered the breach, how the support agent's credentials were compromised, or if the agent was a Microsoft employee, according to TechCrunch.

Article Link: PSA: Microsoft Outlook Breach Worse Than Expected, Hackers Could Read Emails of 6% of Affected Users
 

ArtOfWarfare

macrumors G3
Nov 26, 2007
8,696
4,304
And this is why I always say - never write anything down that you wouldn't want everyone to know. I'm sure the hackers will sell the email content to someone who will blackmail the victims.
 

GeoStructural

macrumors 6502
Oct 8, 2016
367
1,064
Colombia
I am pretty sure I am one of the affected users, I could see weird stuffs last month with my email, I even received a notification of an app permission granted, something I don’t even use.
[doublepost=1555350313][/doublepost]
And this is why I always say - never write anything down that you wouldn't want everyone to know. I'm sure the hackers will sell the email content to someone who will blackmail the victims.
I get your point but it is not just about that. Your work, research, sales, etc. may rely on email and you don’t want unauthorized access to it.
 
  • Like
Reactions: martyjmclean

jk1211

macrumors 6502a
Sep 13, 2018
748
1,872
I am pretty sure I am one of the affected users, I could see weird stuffs last month with my email, I even received a notification of an app permission granted, something I don’t even use.
Because missing from the story per other news outlets is that the hacker hacked the MS EMPLOYEE, a help agent or something like that, who would have access to review email issues. I guess a support agent type thing? (the arent specific regarding their position) Since only limited data was viewed and not the full email content.

So it wouldn't have looked like anything was wrong.

To be fair no mail servers were hacked here or anything, the employee was. Or just straight careless with their login, we dont know that part; that is why Im not quite ready to hang Microsoft for this
 
  • Like
Reactions: Intellectua1

nouveau_redneck

macrumors 6502a
Sep 16, 2017
551
867
And this is why I always say - never write anything down that you wouldn't want everyone to know. I'm sure the hackers will sell the email content to someone who will blackmail the victims.
These breeches are typically not about finding users to blackmail. These are typically done to gain access to ones credentials or learn about users for informed phishing attempts.
 
  • Like
Reactions: lunarworks

justperry

macrumors G4
Aug 10, 2007
10,603
6,095
I'm a rolling stone.
It's high time for companies to be held accountable for breeches in a severe monetary fashion.

The only way they are going to get better at security, or take security seriously, is if it affects their bottom line in a big way if they don't.
That won't be sufficient, a "internet reboot" 2.0 would be much better.

For instance, your private information stays on your device, end to end full encryption mandatory for the whole internet.
Keys are in your possession, not anywhere else.
Standard opt-out for everything.
 
  • Like
Reactions: Intellectua1

jk1211

macrumors 6502a
Sep 13, 2018
748
1,872
It's high time for companies to be held accountable for breeches in a severe monetary fashion.

The only way they are going to get better at security, or take security seriously, is if it affects their bottom line in a big way if they don't.
Except this was a support agent employee's credentials that were hacked and used to get in, so how do you fine a company or hold them responsible for what someone was loose with potentially out of the work environment? Other than fire the person what more can the company do? There is always that human aspect that is the weak link.

Its hard to say what more they could have done here without facts; did the employee have it written on a sticky note at lost it being completely negligent? We simply dont have the facts
 

nouveau_redneck

macrumors 6502a
Sep 16, 2017
551
867
So some techs account was "hacked". Does that mean unsafe use of a computer and picking up malware? Does it mean weak password or not changing passwords frequently? Or some other stupid usage.

From my experience the weakest security link in corporate environments are typically ill-informed users or just plain stupid people. Anyone with privileged access should be locked down and audited, single purpose accounts, etc.
[doublepost=1555352287][/doublepost]
That won't be sufficient, a "internet reboot" 2.0 would be much better.

For instance, your private information stays on your device, end to end full encryption mandatory for the whole internet.
Keys are in your possession, not anywhere else.
Standard opt-out for everything.
Intel communities would never allow that to happen.
[doublepost=1555352428][/doublepost]
Except this was a support agent employee's credentials that were hacked and used to get in, so how do you fine a company or hold them responsible for what someone was loose with potentially out of the work environment? Other than fire the person what more can the company do? There is always that human aspect that is the weak link.

Its hard to say what more they could have done here without facts; did the employee have it written on a sticky note at lost it being completely negligent? We simply dont have the facts
Yes, agreed it is usually stupid employees. There is much that can be done to make such people less harmful. See my above post. And yes, the companies need to take responsibility for employees.
 
  • Like
Reactions: xpxp2002

jk1211

macrumors 6502a
Sep 13, 2018
748
1,872
So some techs account was "hacked". Does that mean unsafe use of a computer and picking up malware? Does it mean weak password or not changing passwords frequently? Or some other stupid usage.

From my experience the weakest security link in corporate environments are typically ill-informed users or just plain stupid people. Anyone with privileged access should be locked down and audited, single purpose accounts, etc.
[doublepost=1555352287][/doublepost]

Intel communities would never allow that to happen.
[doublepost=1555352428][/doublepost]

Yes, agreed it is usually stupid employees. There is much that can be done to make such people less harmful. See my above post. And yes, the companies need to take responsibility for employees.
Im not saying they shouldnt be responsible, but what MORE can you reasonably do when there is a human aspect involved? Sure you can make a new login every day, etc etc etc. But then how efficient is that.

And phishing or something like that would not change the end result of getting in for at least some amount of time; maybe enough to build in a back door way to login.

So then what, a new login every hour? 10 minutes? What is good enough to balance getting work done vs security.

It's a circular argument that could go on forever really.
 

nouveau_redneck

macrumors 6502a
Sep 16, 2017
551
867
Im not saying they shouldnt be responsible, but what MORE can you reasonably do when there is a human aspect involved? Sure you can make a new login every day, etc etc etc. But then how efficient is that.

And phishing or something like that would not change the end result of getting in for at least some amount of time; maybe enough to build in a back door way to login.

So then what, a new login every hour? 10 minutes? What is good enough to balance getting work done vs security.

It's a circular argument that could go on forever really.
What I meant by single usage account, is an account with privileged access to perform actions that affect business such as access customer email data or other responsibilities on servers or business applications. These activities are typically of a limited scope.

A separate account/machine for day to day stuff like internal email, internet, group chat, calendar, etc. This account/machine does not have access to the business critical duties.
 

Rigby

macrumors 603
Aug 5, 2008
5,140
4,883
San Jose, CA
These breeches are typically not about finding users to blackmail. These are typically done to gain access to ones credentials or learn about users for informed phishing attempts.
The linked Motherboard article mentions that some of the hacked accounts were used to reset iCloud passwords (presumably the affected iCloud accounts were using outlook.com addresses as rescue email addresses) ...
 

Solomani

macrumors 68040
Sep 25, 2012
3,904
7,497
Alberto, Canado
I've used Hotmail (personal use), and also am forced to use Outlook Email (for work). Anyone know a good lawyer? Microsoft has a ton of money.
 

Rigby

macrumors 603
Aug 5, 2008
5,140
4,883
San Jose, CA
Since when has M$ ever been known for quality software and robust security that this is a surprise to anyone?
Actually Microsoft's newer cloud services, particularly Office 365 (which is used by many large corporations and government agencies), have a good track record and have undergone extensive audits. The consumer Outlook.com service has been migrated to the same software platform a couple of years ago, so you'd expect a similar level of security. But according to the Motherboard article it seems they apply laxer administrative policies to the consumer accounts (granting access to a wider circle of support personnel), which is why enterprise accounts weren't affected. Hopefully they'll rethink that.
 

C DM

macrumors Sandy Bridge
Oct 17, 2011
48,423
17,079
Yet another huge company gets hacked and loses customer data. Is there no accountability anywhere now?
Was there something mentioned about there being no accountability?
[doublepost=1555381530][/doublepost]
Since when has M$ ever been known for quality software and robust security that this is a surprise to anyone?
Seems like the issue is somewhat different in this case, going by actual details of what was involved. (And that's not to say that even the most robust secure companies can run into a security issue of one kind or another at some point.)
 

pweicks

macrumors regular
Dec 23, 2016
247
501
USA
If I started receiving a ton more spam on my outlook as of a couple months ago, does that mean I’m affected by this?
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.