Malicious Hackers Abuse Microsoft Support to Access Email Accounts
Malicious hackers compromised a Microsoft support agent’s credentials to access multiple email customer accounts using its web mail service, including Outlook, MSN, and Hotmail accounts. Some media accounts of the breach assert that the hackers had access to emails for six months prior to discovery. Microsoft pushed back on that claim, saying they had access for only three months.
Exactly how much access the hackers had quickly became an expanding concern.
“Over the weekend, Microsoft confirmed that some email users were targeted by hackers. Though the company originally reported that the hacker or hackers were only able to access subject lines and who users had communicated with, it later confirmed that, for some users, the content of emails was also visible,” said Monique Becenti, product and channel specialist at SiteLock.
While some affected users were notified of the breach late Friday, presumably notifications are continuing since Microsoft found the number of affected users is larger than the company initially thought.
“Microsoft is now claiming that only 6% of those impacted have to worry about the content of their emails being read by hackers, but still haven’t divulged the total number affected, so this statistic is meaningless at best,” said Sean McGrath, data privacy expert at BestVPN.com. “Using language like ‘a limited subset of consumer accounts’ without providing concrete figures only serves to further muddy the already murky waters.”
Microsoft has yet to confirm the total number of affected accounts but security fallout from this breach is likely to continue beyond this breach, as successful hackers are wont to do.
“The hackers’ access to these emails means they could impersonate Microsoft and send its customers phishing schemes in an attempt to collect sensitive information, like passwords, account logins and even credit card data. This calls into question how Microsoft should handle reporting the severity of attacks, especially to the consumers that had their personal data compromised in this incident,” says Becenti.